One of the most prominent bitcoin and ethereum crypto wallet has announced their e-commerce and marketing database was accessed by an unauthorized third party. They say:
“Contact and order details were involved. This is mostly the email address of our customers, approximately 1M addresses. Further to investigating the situation we have also been able to establish that, for a subset of 9500 customers were also exposed, such as first and last name, postal address, phone number or ordered products.”
The hardware technology is not affected according to Ledger, which says all the assets are safe. Only the databases of information are affected.
They say a third party’s API key hosted on their webpage was misconfigured with Ledger not naming this third party.
“The API key misconfiguration at issue has been running since August 9th, 2018. Based on the information we have, we believe it was discovered and exploited from April 2020 to June 28th, 2020,” they say.
The issue has now been fixed with authorities notified, but some are wondering why they kept the home addresses or phone numbers or any of the other details with Ledger not providing an explenation.
It may be these were customers who had just ordered and were waiting for the product, or were recent customers with Ledger presumably keeping the details for a few months just in case of refunds and the like.
Authorities have been notified they say and the issue has now been fixed, with questions remaining as to why they kept phone numbers and the like.