A number of Ledger users whose stolen data has been posted online are now threatening a class-action lawsuit, according to a growing number of tweets by the affected users.
“Hey @Ledger, why is my data in that dump, when you supposedly deleted my personal data, and also never notified me about my data leaking?,” wrote Twitter user @NoomDynamite in response to another Tweet describing the attack. “Prepare to be sued into oblivion before the EU courts for violation of the GDPR.”
Indeed, “if any lawyers want to start a class action suit, I’m sure many of us will jump on board,” wrote Twitter user @RyanOlah2 in response to Ledger’s official tweet about the data dump. A number of other users replied in agreement.
https://twitter.com/RyanOlah2/status/1340771949820166144
“This has just gotten 10,000x worse now,” @RyanOlah2 said, apparently referring to the original incident in June of this year when a hacker breached hardware wallet provider Ledger’s marketing database.
Ledger: "We Are Continuously Working with Law Enforcement to Prosecute Hackers."
According to a report by CoinTelegraph, data belonging to thousands of users was taken during the June breach, including 272,853 hardware wallet orders and over a million email addresses that were on the Ledger newsletter mailing list. The hardware wallet orders included mail addresses, physical addresses and phone numbers.
https://twitter.com/UnderTheBreach/status/1340728236528033797
Alon Gal, Co-founder and Chief Technical Officer at cybersecurity firm, Hudson Rock, wrote on Twitter that the leak “holds major risk to the people affected by it.”
And indeed, some hardware wallet holders have already been targeted by phishing scammers.
On Friday, another hardware wallet firm, Trezor, warned its users against phishing attacks that seem to be linked to the Ledger data dump. Finance Magnates previously reported that attackers appear to be using data obtained from the Ledger hack to blindly send texts to customers to attempt to trick them into giving up their wallet’s private keys.
Ledger says that it is attempting to prevent scammers from taking advantage of users whose data has been compromised: "We are continuously working with law enforcement to prosecute hackers and stop these scammers," the company wrote on Twitter. "We have taken down more than 170 phishing websites since the original breach."
⚠️⚠️ Uhh shiit! A hacker is dumping the full @Ledger database dump for free on raidforums! Emails, phone numbers and addresses!
— Jimmy McShill (@JimmyMcShill) December 20, 2020
Get ready for a huge spam and phishing wave!#bitcoin #cryptcurrencies #phishing #security pic.twitter.com/XAQQHZ2wkW
"Saying Sorry, Frankly, Isn't Enough"
However, phishing attacks are not the only concern of users who may have been affected by the attack.
Alon Gal Tweeted that “individuals who purchased a Ledger tend to have high net worth in Cryptocurrencies and will now be subject to both cyber harassments as well as physical harassments on a larger scale than experienced before.”
Indeed, high-net-worth crypto users could also be the subject of so-called 'rubber-hose attacks': physical violence or coercion that may force them to give the keys of their Bitcoin wallets to attackers who have gained access to their physical location (i.e. their home address.)
Twitter user @paul_smith2000 wrote that he was “concerned that people now have our addresses” in response to an update on the situation from Ledger.
“What's stopping them from knocking on our doors?!” he wrote. “Saying sorry, frankly, isn't enough!!”
Are you compensating everyone affected? @Ledger ? This is a serious breach and I am concerned that people now have our addresses! What's stopping them from knocking on our doors?! Saying sorry, frankly, isn't enough!!
— Paul Smith ⓥ (@paul_smith2000) December 20, 2020