The phone numbers, email and postal addresses of over 270,000 owners of the Ledger cryptocurrency hardware wallet have been made freely available for download from a hacking forum.
The information, which is accompanied by the email addresses of over one million people who have subscribed to the Ledger newsletter, is believed to have originally fallen into the hands of criminals following a security breach at the firm back in June 2020.
Initially made available for sale through underground hacking forums populated by cybercriminals, the data is now available at no cost.
And that, inevitably, means that more and more malicious parties may attempt to exploit the information in an attempt to defraud the unwary and intimidate Ledger customers.
Such attacks are already occurring on a regular basis.
Earlier this month, for instance, Bleeping Computer reported that Ledger customers have been receiving breach notification emails saying that users need to install a new version of the Ledger Live software and reset their PIN.
However, despite appearances, the emails did not really come from Ledger but were instead sent by cybercriminals to direct unsuspecting users to a fake version of Ledger Live for Windows which would steal wallet users’ recovery phrase and secret passphrase (if they have enabled that extra layer of security).
With such information, an attacker could gain full access to a users’ cryptocurrency funds.
And just today, Ledger warned customers about another scam which has seen attackers demand a $500 ransom not to invade recipients’ homes, using information presumably leaked from the company’s servers.
At the time of writing, Ledger says it has shut down 171 phishing sites in the last two months. With the data related to Ledger’s customer base being so freely available, the number of phishing sites targeting users is only going to rise.
Ledger is asking customers who receive fake communications pretending to be from the company to report it to them.
Ledger emphasises to customers that it will never deactivate users’ devices (it’s not uncommon for phishing attacks to make such threats to trick unsuspecting users into making poor decisions), and will never contact customers via text message or phone call.
But perhaps most importantly of all, Ledger says that users should never share the 24 words of their recovery phrase “with anyone under any circumstances.” The secret recovery phrase should only ever be entered onto the Ledger device itself. or your cryptocurrency holdings could slip through your fingers.
Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s.View all posts
May 16, 2023
March 10, 2023