Cryptocurrency hardware wallet manufacturer Ledger suffered a data breach in late June, the team revealed in a blog post that was published on July 29.
The attack, which targeted the company’s marketing and e-commerce database, has exposed the personal information of 1 million users. The information is largely email addresses of customers who have placed orders with Ledger. However, 9500 customers have had additional information compromised, including names, addresses, phone numbers and orders.
No payment information and login credentials have been compromised. Ledger also stressed that neither hardware wallets nor Ledger Live had been affected.
The patch had first been reported on July 14 through the bug bounty program. The security team had patched the vulnerability, but discovered that it had been exploited on June 25.
Ledger has begun an investigation, filing a complaint with authorities. They have not discovered evidence of the database being sold, saying,
We are actively monitoring for evidence of the database being sold on the internet, and have found none thus far. We also performed an internal penetration testing and we are pushing forward the external penetration testing that was originally planned for September.
Competing hardware wallet manufacturer Trezor took a thinly veiled shot at Ledger on Twitter, saying that it removed personal data from e-commerce databases every 90 days,