Despite the security measures that Ledger owners have, a data breach has occurred after a website vulnerability by a threat actor who has leaked stolen email and emailing addresses for Ledger cryptocurrency wallet users on a hacker forum for free.
Ledger is a hardware cryptocurrency wallet; funds within these wallets are secured using a 24-word recovery phrase and an optional secret pass phrase that only the owner knows.
Ledger confirmed in a tweet that this data dump is likely form the June 2020 data breach.
Leakage of such sensitive data poses a significant risk as it provides numerous threat actors that can be used in phishing attacks against Ledger owners, who have already been targeted since October 2020 with phishing emails telling them to download a new version of ledger live to secure their cryptocurrency assets with new security pin.
The fake ledger live application requires the entry of the ledger owner’s secret recovery phrase and passphrase, which will be sent to the attackers allowing them to steal the victim’s cryptocurrency assets.
Could Ledger owners prevent the attack?
- Ledger recovery phrase or secret passphrase should only be entered on a ledger device you are trying to recover. Never tell these phrases to anyone and never enter them into any app or website.
- Contact Ledger support if you receive postal mail about your Ledger device, do not act upon it or visit any site listed in that mail.
- Contact your cellular provider to discuss the availability of enabling a protection that blocks number transfers in order to secure your mobile account against attacks.
- Finally, disregard any emails claiming to be from Ledger, stating data breach, hardware deactivation or asking for confirming transaction. These are all phishing scams attempting to steal your cryptocurrency.
Ledger has released a web page where you can find more about phishing scams targeting Ledger owners.