In a statement sent this morning, the Ledger company said it had been targeted by an attack that allowed third parties to get their hands on its customer databases . The company explains that it detected the flaw thanks to information provided by one of the researchers.rs safe as part of its bug bounty program. He had detected and reported on July 14 a security breach affecting Ledger's website. Following this initial report, Ledger says he conducted an investigation which found that an attacker had indeed exploited the vulnerability in question towards the end of June and had managed to gain access to the company's customer data.
The company indicates in a blog post that the contact and delivery data have been stolen. The database in question essentially contained the e-mail addresses of customers and newsletter subscribers, or roughly one million e-mail addresses, according to Ledger. The personal data of 9,500 were also exposed: surname, first name, postal address, telephone number as well as the history of products purchased on the site. The company ensureshowever, neither credit card data nor user passwords were affected by the data breach. "This data breach is unrelated and has no impact on our hardware wallets or the security of Ledger Live and your cryptocurrency assets, which are secure and have never been at risk." You are the only one in control and able to access this information, reassures Ledger.
Risk of phishing
Ledger immediately corrected the vulnerability that allowed the data leak and announced that it had notified the CNIL on July 17. The company also says it has been working with Orange Cyberdefense since July 21 to "assess the potential damage from the data breach and identify potential data breaches." The company has alerted customers affected by this data breach and is monitoringNow they are posting offers online to see if the database is offered for sale anywhere. But for the moment this has not resurfaced.
Ledger indicates that a security audit is underway, and that the company now aims to review its organization and its processes in order to fulfill the criteria set out in the ISO 27001 standard, which defines the security requirements for information systems.
The flaw announced by Ledger does not directly endanger the users of its products: it specializes indeed in the development of hardware wallets to store cryptocurrencies. The data collected could nevertheless be used as part of a targeted phishing campaign aimed at recovering the usernames or passphrases of the affected users. Ledger calls on its users to be vigilant and not to give under any circumstances the 24-word passphrase used to gain access to a walletLedger.
Aucun commentaire:
Enregistrer un commentaire