Hackers have managed to breach the e-commerce database of popular cryptocurrency hardware wallet maker Ledger, and stole one million emails from it. The emails are, at least yet, not for sale on the darknet.

According to a notice Ledger published, on June 14 a researcher participating in its bounty program unveiled a potential security breach on the Ledger website, which was “immediately fixed” after undergoing an internal investigation.

A week after the breach was patched, Ledger noted, the firm discovered it was exploited on June 25 by a hacker who managed to access its e-commerce and marketing database to steal user data. Per the firm, the hackers mostly stole email addresses, and for a subset of 9,500 users they got first and last names, postal addresses, and phone numbers. The firm wrote:

Contact and order details were involved. This is mostly the email address of our customers, approximately 1M addresses.

No cryptocurrency or payment information was stolen in the breach. The hacker managed to access Ledger’s database via an API key that was since deactivated and is no longer accessible, the firm clarified.

Ledger says it has already informed affected users of the situation, and clarified that no payment information and no credentials such as passwords were stolen. Its hardware wallets and Ledger Live applications were also not affected by the security breach.

In the aftermath of the breach, Ledger contacted the CNIL, the French Data Protection Authority that ensures data privacy laws are applied, and partnered with Orange Cyberdefense, a cybersecurity firm, to assess the potential damages of the data breach. It also filed a formal complaint with authorities.

The firm further added it is “actively monitoring for evidence of the database being sold on the internet, and have found none thus far.”  It’s now ramping up security with penetration tests, and by extending to e-commerce the scope of its security that was originally focusing on its hardware wallets and vault.

Ledger Recommends Caution

As users’ emails were leaked, Ledger has noted it recommends users exercise caution, by being mindful of phishing attempts by scammers. It clarified “Ledger will never ask you for the 24 words of your recovery phrase.” The firm pointed out:

If you receive an email that looks like it came from Ledger asking for your 24 words, you should definitely consider it a phishing attempt.

Ledger also advised users to visit Ledger Academy’s security section to learn more about security principles and about phishing attacks. It’s worth noting that in May a hacker was allegedly looking to sell client information belonging to crypto hardware wallet manufacturers Trezor, KeepKey, and Ledger.

At the time the firm claimed they found no evidence their database had been breached, and that the hacked database for sale did not match its own.

Featured image via Pixabay.