In June 2020, the French company Ledger announced that it was the victim of a data breach. A year later, its clients are still the target of scams, sometimes very elaborate, despite the startup’s notable efforts to combat them.
In June 2020, the French company Ledger suffered a major data breach. Intruders stole files used by its customer service and marketing teams, which contained more than a million customer email addresses, as well as the name, address and phone number of a few thousand of them. them. Initially, this data was sold in rather confidential markets. Then 6 months later, in December 2020, an individual posted 270,000 lines of this file on a public forum.
A year later, Ledger is still cleaning up the mess. The latest incident was relayed by the Bleeping Computer on June 16. A Ledger user received in the mail a package apparently sent by the company. Suspicious, he asked members of the Reddit r / Ledgerwallet forum to confirm that it was indeed a scam. ” As the victim of the latest data breach, I signed up for Reddit just to post this », He specifies. The Have I Been Pwned site, a sort of data breach search engine, allows Ledger’s customers to know if their data is part of the leak.
Supporting photo, the author of the message presents the contents of the package received: two layers of packaging in Ledger’s colors, a letter allegedly signed by CEO Pascal Gauthier, a user manual, and a supposed Nano X key , Ledger’s premium product to secure access to its cryptocurrency wallet. The user even went so far as to disassemble the device to take a picture of his printed circuit board, and compare it to that of the Ledger key he already has.
Very quickly, Nicolas Bacca, the co-founder and CTO of Ledger, responded to the post himself. ” It is a fake device, do not use it. We have already investigated this kind of manipulation “, He writes under his nickname” BTChip “.
The fake Ledger hides a USB stick
The courier – written in bad English – explains to the recipient that he must replace his Ledger key with the one contained in the package because… of the data leak. ” For this reason, we have changed the structure of our device. We now guarantee that this kind of leak will never happen again “, Invent the crooks to justify the strange package. Thieves use leaked information both to target customers, but also as an excuse to mislead them.
Seen from the outside, the device looks like a Nano X, but from the inside, the coarse welds prove something is wrong. According to the Bleeping Computer, a simple USB key was integrated into the Ledger, probably to carry malware. The user manual instructs the victim to connect their Ledger to the computer, open the folder that appears, and launch the on-board application. In reality, it tricked the user into deploying the malware on their computer.
But he doesn’t stop there: he then asks the owner of the Ledger to enter his passphrase – a 24-word sequence that allows access to the cryptocurrency wallet even if credentials are lost. If the victim gives their passphrase, cybercriminals can configure a Ledger in their possession to access their wallets, and empty their content. Without the victim having any recourse.
This example of a scam is particularly advanced. But over the past year, Ledger’s clients have received numerous simple phishing attempts, like the one Cyberwar analyzed in October 2020.
Ledger however managed the post-flight well
The consequences of the data breach seem endless, and yet Ledger handled the post-leak pretty well:
- First, he immediately communicated transparently about the incident both through an official statement and on his social media.
- Then the company took several steps: it hired a new security manager; paid an external company to carry out penetration tests on its network looking for vulnerabilities; and above all, it fights very actively against phishing sites.
- The French startup has brought down hundreds of fraudulent sites in a year, and according to our observations, they rarely stay more than a day online, which considerably limits the number of potential victims.
- In addition, the phishing prevention banner no longer leaves the home page of its site, and the company regularly responds to the doubts of its customers on social networks. It also compiles the fraud attempts encountered by its customers on a dedicated page. For example, in May, we find the story of an attempted trick similar to that suffered by the user of Reddit.
” Ledger cannot and will not deactivate a device. “
Contacted by Cyberwar about the story posted on Reddit, Ledger very quickly responded, “ Ledger will never send a replacement Nano if this has not been ad hoc agreed with the customer. If a Ledger customer receives a Nano when they have not requested it, it is advisable to either discard it or contact us and send it directly to us for analysis. “, Recalls a spokesperson for the company, before adding:” Ledger cannot and will not deactivate a device. We are not in a position to do so. Ledger will never contact a customer by text, post or telephone. Ledger only communicates by email and through its official social networks. These statements are a new example that in order to detect a phishing, it is usually enough to ask a few questions about the scenario which is proposed to us.
Fortunately for the startup, these attempted scams don’t seem to hurt their business too much. At the end of 2020, the Director General Pascal Gauthier welcomed a ” clear increase in sales ” and a ” massive influx of new users “In the Figaro, with days at” more than 450% of sales »Compared to 2019. It must be said that the explosion in the price of cryptocurrencies – that of bitcoin in the lead – always attracts more curious people, and therefore potential customers for Ledger. If the price has started to fall again compared to the beginning of the year, it continues to grow in the long term.
This trend has enabled Ledger to raise $ 380 million – an amount still rare in the French ecosystem – and to join Doctolib, Blablacar or even Meero among the best valued French startups.