Hardware wallet manufacturer Ledger has suffered another massive data breach for the second time this year. The exposure of thousands of clients’ personal information has increased the threat of SIM swapping as an attack vector.
For the second time this year, personal data from Ledger wallet buyers has been dumped online. The leak was posted by several members of the crypto community who found files allegedly containing the ‘full database’ of Ledger customers containing emails, phone numbers, and even physical addresses.
Ledger Data Leaked (Again)
Ledger played down the data breach by claiming it was old data from the June 2020 server breach.
Industry researchers called it ‘unforgivable’;
“IMO this Ledger leak is unforgivable. You simply can’t sell hardware wallets and store the personal information of your customers on an online server. Cut off business with them, only way companies in this space are gonna learn to take our physical security seriously.”
Analyst Larry Cermak said this latest leak was ‘much much worse’ than the last;
There is also now an inherent danger that SIM swapping attacks will be used to target Ledger customers now that their phone numbers and addresses have been leaked.
What is SIM Swapping and How to Avoid it?
Industry analyst Alex Krüger has warned of an impending wave of SIM swapping attacks following the Ledger leak. Since phone numbers were leaked and smartphones are normally used to authenticate transactions, the fallout could be devastating;
SIM swapping occurs when an attacker contacts the victim’s wireless/mobile carrier and is able to convince the call center employee that they are the victim using stolen personal data.
With an arsenal of new data including email addresses, the phone number itself, and even physical addresses for Ledger users, this would be relatively easy to pull off for cybercriminals.
The attacker then asks the provider to activate a new SIM card connected to the victim’s phone number on a new phone in their possession. With this, they can access the 2FA security measures used by Ledger devices and crypto exchanges. What happens next is inevitable — an emptied hardware wallet.
The U.S. Federal Trade Commission issued a warning and prevention guide which includes suggestions on limiting the sharing of personal information. However, when companies that are trusted with security cannot secure data themselves, what hope has the consumer got?
As a number of Ledger users have painfully found out, crypto-assets can be easily stolen from hardware wallets. The victims are left to suffer alone when it happens as there is usually little-to-no recourse whatsoever from the manufacturers.