Ledger hack - 270,000+ customers doxxed

phaz0rz · #1 12-22-2020

If any of you guys have bought a ledger in the past few years, you may be receiving threatening extortion letters by email and/or mail soon. I've already seen several examples. People are downloading the list then using software to email everyone on it, attempting to extort $xxx for "protection".

It's pretty crazy. The tiny town I live in has like 8 people on the list. I'm not going to post it but it's out there if anyone cares.

Mayhard · #2 12-22-2020

Are you referring to the Google doc?

phaz0rz · #3 12-22-2020

The thing I'm referring to is a 28MB text file with thousands of buyer details. I don't know if anybody has put it on Google docs. I saw it on anonfiles and github yesterday. It was also on pastebin but that was removed.

I'm assuming you're probably on there.

There's talk of a class action lawsuit but ledger has already made a statement saying they do not plan to reimburse affected users in any way.

james_112233 · #4 12-22-2020

They'll be really targeting the high net worth in crypto individuals no doubt. Everyone else will just get some sort of phishing email on a regular basis or some other form of social engineered scam.

phaz0rz · #5 12-22-2020

A guy on another board laid out his plan the other day..
1) download list, extract all emails
2) send everyone an email saying "send me $500 in BTC to this address or I'll come beat your head in with a wrench or whatever"
3) "I'm sure you can afford it given the recent gains"

Then, even if only 1% of people respond for the perceived "peace of mind" the guy could still end up with over $1mil in free bitcoin. There's no way of determining who the "whales" are on that list (aside from the 1 bill.gates email) because their BTC addresses aren't shown.

It's not the kind of thing I would go for but I can see people in 3rd world countries drooling over this list.

james_112233 · #6 12-22-2020

It's like winning the lottery in a sick twisted way.

e2free · #7 12-22-2020

Haha I did had email other day
Your Device has been disabled.

Unfortunately, due to the new KYC policy, you are required to pass identification:

https://docs.google.com/document/d/e...?embedded=true

Support Team.
89-P8XM8S57XS QT8257

phaz0rz · #8 12-22-2020

^^I see. So somebody created a spoof site to target the people in this email.. I guess.

So I guess your info is on the list, e2?

Mayhard · #9 12-22-2020

Quote:

Originally Posted by james_112233

It's like winning the lottery in a sick twisted way.

Where do you see a success in this?

It's just a list of emails who has bought a ledger device at some time.

james_112233 · #10 12-22-2020

Quote:

Originally Posted by Mayhard

Where do you see a success in this?

It's just a list of emails who has bought a ledger device at some time.

Not just a list of emails if those emails are also used on facebook, linkedin etc. You can track down people with their email addresses these days.

And then the social engineering begins.

I'm not a scammer so I don't know exactly what you could do, but i'm fairly sure there are many things you can do.

e2free · #11 12-22-2020

Quote:

Originally Posted by phaz0rz

^^I see. So somebody created a spoof site to target the people in this email.. I guess.

So I guess your info is on the list, e2?

Yes and it is available to download on the forum its crazy it contains name email.phone number address etc

Beautiful · #12 12-22-2020

Lots of emails/name/addresses have been leaked

if you bought a ledger, watch out for phishing emails, many people are receiving them

you can check here if your information was leaked

1. https://haveibeenpwned.com/
2. https://intelx.io/?did=8761746e-d333...d-9100c8722799

--------

Learn from their mistake, if you're going to order a hardware wallet in the future

1. Use a fictitious email + fictitious name, if you're having it mailed to your home

2. Ideally you want to get yourself a business UPS box, that has no ties to your name or ties to where you live

--------

Ledger has shown in the past to be greedy over having integrity, go for an open source wallet like trezor or coldcard if you're a little more tech savvy

Here's a great site with tons of resources: https://www.lopp.net/bitcoin-informa...d-wallets.html

phaz0rz · #13 12-22-2020

That's an insightful post, amazon guy.

Quote:

Originally Posted by Mayhard

It's just a list of emails who has bought a ledger device at some time.

Except that it also includes the buyer's home address, phone number, and real name.
When people order physical products to be shipped to them they usually provide their real info.. and that's the problem here.

james_112233 · #14 12-23-2020

Quote:

Originally Posted by Beautiful

Lots of emails/name/addresses have been leaked

if you bought a ledger, watch out for phishing emails, many people are receiving them

you can check here if your information was leaked

1. https://haveibeenpwned.com/
2. https://intelx.io/?did=8761746e-d333...d-9100c8722799

--------

Learn from their mistake, if you're going to order a hardware wallet in the future

1. Use a fictitious email + fictitious name, if you're having it mailed to your home

2. Ideally you want to get yourself a business UPS box, that has no ties to your name or ties to where you live

--------

Ledger has shown in the past to be greedy over having integrity, go for an open source wallet like trezor or coldcard if you're a little more tech savvy

Here's a great site with tons of resources: https://www.lopp.net/bitcoin-informa...d-wallets.html

Just checked that first site pwned and my primary email address has been leaked through 7 DATA BREACHES including MONEYBOOKERS and BLACKHATWORLD ... wow !

But I have to admit google's done a fairly fantastic job filtering the spam and putting them in to my spam box.

Soundofsilence · #15 12-23-2020

Quote:

Originally Posted by Beautiful

Lots of emails/name/addresses have been leaked

if you bought a ledger, watch out for phishing emails, many people are receiving them

you can check here if your information was leaked

1. https://haveibeenpwned.com/
2. https://intelx.io/?did=8761746e-d333...d-9100c8722799

--------

Learn from their mistake, if you're going to order a hardware wallet in the future

1. Use a fictitious email + fictitious name, if you're having it mailed to your home

2. Ideally you want to get yourself a business UPS box, that has no ties to your name or ties to where you live

--------

Ledger has shown in the past to be greedy over having integrity, go for an open source wallet like trezor or coldcard if you're a little more tech savvy

Here's a great site with tons of resources: https://www.lopp.net/bitcoin-informa...d-wallets.html

Thanks for the site, I just came to know that my data was breached 3 times in last 3 years and I just came to know about it when I read your message and checked (haveibeenpwned.com)

going to signup for some password managers any recommendation which is better than lastpass.com ?

Soundofsilence · #16 12-23-2020

I was just researching whether to get ledger or trezor and when I typed in google ledger and on top there was a hack news posted an hour ago so I placed order on trezor and then I found this post here on forum.

I'm so lucky because If I was an hour earlier on making decision then I would have paid ledger to get hardware wallet. :D

phaz0rz · #17 12-23-2020

lol well in all fairness, they've probably patched up whatever caused this breach by now.

Soundofsilence · #18 12-23-2020

That is true as only personal informations were leacked and bitcoin were secure all the time unless non-tech person becomes victim of phishing scam.

Still I doubt now and will prefer trezor as it's open source completely.

Yes, I know ledger device seems to be secure unless some hacker has physical access to it.

All hardware wallets were successfully hacked with physical access to it by profestionals using weird methods as per kaspersky daily article.

I was surprised to read about the method of hacking trezor wallet by looking into ram while it's going through firmware update.

Here is the link :

https://www.kaspersky.co.in/blog/har...-hacked/15027/

phaz0rz · #19 12-23-2020

My question : why even use a hardware wallet when using an encrypted software wallet (electrum) is just as secure? Maybe more secure because you don't have to provide your real information to a company in order to have a device shipped to you.

Yes it's true you could have a hardware wallet shipped to a business address like beautiful said but most people won't do that. It seems like hardware wallets could be used as a way of identifying bitcoin users. Regardless of who you order it from, you're buying from a company who's going to store your info in a database, like Ledger.

Soundofsilence · #20 12-23-2020

Quote:

Originally Posted by phaz0rz

My question : why even use a hardware wallet when using an encrypted software wallet (electrum) is just as secure? Maybe more secure because you don't have to provide your real information to a company in order to have a device shipped to you.

Yes it's true you could have a hardware wallet shipped to a business address like beautiful said but most people won't do that. It seems like hardware wallets could be used as a way of identifying bitcoin users. Regardless of who you order it from, you're buying from a company who's going to store your info in a database, like Ledger.

I was not aware that it's that much secure and it's encrypted, I used it today for the 1st time and transacted once but very small amount for testing purposes. I'll do more research. Thanks

jackreacher · #21 12-23-2020

Quote:

Originally Posted by phaz0rz

That's an insightful post, amazon guy.

Except that it also includes the buyer's home address, phone number, and real name.
When people order physical products to be shipped to them they usually provide their real info.. and that's the problem here.

I can't find the list of names and addresses , but I can see my email.

Are you sure,
is there a link?
.