I have had two Ledger Nano X* cryptocurrency wallets for a couple of years now. One of them died during a firmware update which they offered to replace but I didn’t print the label and send it in time. That’s on me and if that was the only problem I had I could have lived with it.
Unfortunately Ledger collects a lot of personal information about you such as your email address, phone number and even your home address! They failed to protect this information and got hacked and all of this data was exposed. Funds were not stolen because of the way hardware wallets work (your private key never leaves the device and is generated by the end user) but apparently everything else except the money was (all your personal data, how much you have, etc)!
I was a confirmed “victim” of this hack and I wanted to write this article to explain what (if anything) has happened since. Spoiler alert: plenty!
First Notice – July 29th 2020
The first notice I received was in July 2020 and didn’t sound too serious. They clearly didn’t realize the extent of what they were dealing with at the time. It sounded like mostly just email addresses (they only said a small subset had more information stolen).
I was already getting contacted at this point and I’m sure many others were as well which likely is what initially prompted them to send out this notice. Here is the first notice I received:
Ledger Security Notice #1 – July 29th 2020
By now I had already started receiving phone calls/texts/emails but we’ll get into that more later.
Second Notice – December 21st 2020
Almost a full 6 months later I received a second notice that was a lot more serious. Here it is:
Ledger Security Notice #2 – December 21st 2020
Now that is a lot more specific! They’re getting warmer. They now know that my name and surname and my postal address was exposed.
Initially when I received this I thought they’re still not quite there yet. My phone number was most certainly also leaked but that didn’t seem to be in their list. Very curious!
Third Notice – December 23rd 2020
Only a couple of days later I received a third notice. This one did have my phone number included but this one is a different hack altogether. This one is the “Shopify” hack which happens to be Ledger’s e-commerce vendor.
Here is the third notice:
Ledger Security Notice #3 – December 23rd 2020
The notice states that this hack was reported to Shopify in September of 2020 which was months after I received my notice for the first hack. They got their information stolen/hacked again in a separate incident with their e-commerce vendor.
This means there are now multiple copies of all my personal information like phone number and address, cryptocurrency balances at the time, email, etc. floating around in multiple separate hacking incidents and data dumps. This is a device that is supposed to help you protect your cryptocurrency and keep it safe. What a mess!
Spam Emails
The spam emails have only continued to increase over time. This is probably because my leaked information is on lists being sold/passed around to various spammers. They are *very* targeted toward cryptocurrency.
Gone are the days where my spam folder is filled with people trying to sell me Viagra (there is still one in there keen readers may spot). It now looks like this:
Gmail Spam Folder after Ledger data leak
I even have a message from elon @ give-away tesla.com with a 5000 BTC giveaway, wow! This has and continues to be a pretty dramatic change from what it looked for before the leak when nobody knew this email address was tied to cryptocurrency.
Spam Text/Voicemails
Fortunately these have decreased in frequency over time. Early on when the leaks were still fresh and even before we were notified of the breach I was getting multiple of these per day. It has been a couple of months since I got a cryptocurrency related spam voicemail. The texts don’t seem to be coming through as frequently lately either.
I should note though that I have a Google Pixel phone running the latest Android and they have been improving their SMS/voicemail spam detection. It’s possible these attempts haven’t decreased at all but rather that Google’s spam filter is getting much better at catching them now that these attacks have been going on for a while.
Final Thoughts
I’m very disappointed that Ledger has somehow managed to leak my most personal data such as cell phone number, cryptocurrency balances, email address, home address, etc. multiple times across several different hacks. The spookiest part of it has been how targeted some of these email/SMS messages are. They know exactly which cryptocurrencies I have so they will specifically target Ethereum, Litecoin and some of the others that I was holding a balance on during these leaks.
Buying from Ledger directly (where they ship it to you from France) is supposed to be the safest way to buy it since there have been some instances of devices being tampered with on third party retailers. My initial data leak was directly because I bought it from them instead of Amazon. There have been several more though so now it’s difficult to tell if it would have made any difference across these multiple leaks. I have had a Trezor One* for much longer than both of my Ledger devices and none of that data has ever been leaked.
I use my Ledger every single day. I am using it to stake multiple cryptocurrencies during my journey to learn about and discover staking (stay tuned for some articles on this) and use it to sign my staking transactions. The device is pretty nice to use and supports by far the most cryptocurrencies out there. It has kept my cryptocurrency safe. I wish I could say the same about my personal data.
I really strongly encourage Ledger to permanently get rid of and scrub all these programs to gather data on your customers. Why do you need to keep this sales and marketing list that got initially hacked? Why does Shopify have a database of all this info waiting to be stolen? These appear to be the vendors that you yourselves selected and entered into agreements with. It can’t be worth whatever they paid you to be able to gather/collect this information, and if you didn’t know they were doing it then I sincerely hope you have completely redone those agreements by now to make sure they aren’t collecting a big database of this information.
Have any of you out there reading this been negatively impacted by these data leaks? I’m curious what your stories are!
Thank you so much for leaving this! What a rough couple of years for cryptocurrency for sure. I’ve been in the space a decade now and I don’t think I’ve ever been more disgusted with it in general (or had more doubts)!
Nevertheless I would not trade having my email/phone added to spam lists for having all of my money tied up in one of these centralized exchanges that are now going through bankruptcy. Ledger hasn’t had any more leaks since I posted this so hopefully that means they’ve learned their lesson and cleaned up their practices substantially.
Theoretically the answer would be to choose a different hardware wallet but at the time realistically your choices were Trezor or Ledger and I actually have one of each. There are probably more choices now (or there’s always a paper wallet I guess?) but I’ve always been perfectly happy with the Ledger other than this happened. Given the state of cryptocurrency I haven’t wanted to invest in a bunch of new hardware wallets to test so I’ve been sticking with the Ledger.
In fact it’s almost more logical for me to stay with Ledger because they’ve already screwed up and leaked my data and been burned by it. If I tried some up-and-coming new hardware wallet company that would probably be a company that hasn’t learned that lesson yet and unless they consciously and intentionally chose to use better data practices to avoid that then it’s only a matter of time before it would be their turn to learn that lesson (and then yet another copy of all my data would be flying around in a totally separate/new leak).
To be clear I’m not defending them. I hate that they did this and I bet they hate that they did it now too. The amount they gained selling my information to these marketing companies to track me (which is what was stolen/leaked by the hackers) could not possibly have been worth the absolute disaster / hit to their reputation it caused. That was a stupid and shortsighted decision. They said they didn’t know our information was being collected and this was set up without their knowledge by one of their partners. That only changes the question to a potentially more disturbing one of how do you have no idea what your partners are doing with your customer data and why aren’t you vigorously safeguarding that information?
All I’m saying is that the good news is that in the time since I wrote this they haven’t screwed up again and they haven’t given me any reason to stop using them otherwise if that makes sense.
I still don’t recommend holding any coins in centralized exchanges. However people want to hold their coins it will be better and smarter than keeping them in exchanges. Not your keys not your coins blah blah blah you guys know the drill but it’s true. Whether you’re using a paper wallet, an actual installed copy of the blockchain or one of these hardware wallets you should be holding the keys. I might get a lot more spam emails and occasionally text spam from this leak but I never lost a penny and my keys were always safe.
thanks for posting this!! They of all people… grrrr
Hey bob,
Thank you so much for leaving this! What a rough couple of years for cryptocurrency for sure. I’ve been in the space a decade now and I don’t think I’ve ever been more disgusted with it in general (or had more doubts)!
Nevertheless I would not trade having my email/phone added to spam lists for having all of my money tied up in one of these centralized exchanges that are now going through bankruptcy. Ledger hasn’t had any more leaks since I posted this so hopefully that means they’ve learned their lesson and cleaned up their practices substantially.
Theoretically the answer would be to choose a different hardware wallet but at the time realistically your choices were Trezor or Ledger and I actually have one of each. There are probably more choices now (or there’s always a paper wallet I guess?) but I’ve always been perfectly happy with the Ledger other than this happened. Given the state of cryptocurrency I haven’t wanted to invest in a bunch of new hardware wallets to test so I’ve been sticking with the Ledger.
In fact it’s almost more logical for me to stay with Ledger because they’ve already screwed up and leaked my data and been burned by it. If I tried some up-and-coming new hardware wallet company that would probably be a company that hasn’t learned that lesson yet and unless they consciously and intentionally chose to use better data practices to avoid that then it’s only a matter of time before it would be their turn to learn that lesson (and then yet another copy of all my data would be flying around in a totally separate/new leak).
To be clear I’m not defending them. I hate that they did this and I bet they hate that they did it now too. The amount they gained selling my information to these marketing companies to track me (which is what was stolen/leaked by the hackers) could not possibly have been worth the absolute disaster / hit to their reputation it caused. That was a stupid and shortsighted decision. They said they didn’t know our information was being collected and this was set up without their knowledge by one of their partners. That only changes the question to a potentially more disturbing one of how do you have no idea what your partners are doing with your customer data and why aren’t you vigorously safeguarding that information?
All I’m saying is that the good news is that in the time since I wrote this they haven’t screwed up again and they haven’t given me any reason to stop using them otherwise if that makes sense.
I still don’t recommend holding any coins in centralized exchanges. However people want to hold their coins it will be better and smarter than keeping them in exchanges. Not your keys not your coins blah blah blah you guys know the drill but it’s true. Whether you’re using a paper wallet, an actual installed copy of the blockchain or one of these hardware wallets you should be holding the keys. I might get a lot more spam emails and occasionally text spam from this leak but I never lost a penny and my keys were always safe.
Take care!