Ledger, the hardware-wallet maker, раскрыл details of the vulnerability that allowed attackers to access the personal information of around one million users.
The existence of the vulnerability was reported by a third-party researcher participating in a bug-bounty program on July 14. During the investigation, it emerged that on June 25 an unknown party gained access to a database containing email and mailing addresses, names, phone numbers, and information about Ledger products purchased. The unauthorized access was achieved using an API key, which has since been deactivated.
The company assured that payment data, information on bank cards and cryptocurrency accounts were not compromised and remain secure. The developers noted that they remediated the vulnerability promptly after discovery and apologized to their users.
In a thread on Twitter the company urged wallet owners to be vigilant against phishing attacks and not to reveal the recovery phrase.
Be mindful of phishing attempts by malicious scammers — never give your 24 words recovery phrase. Ledger will never ask for it.
— Ledger (@Ledger) July 29, 2020
Earlier in July, Kraken researchers uncovered vulnerabilities in Ledger Nano X hardware wallets. Earlier, ZenGo developers disclosed a potential double-spend vulnerability identified in BRD and Edge products.
Follow ForkLog news on Twitter!