Hackers are pervasive. If there is valuable data out there – and a lot of it is more valuable than you think – they are after it. Centralized data systems are particularly vulnerable. Ledger, a world leader in hardware wallets, was the latest victim – or sinner.
Here is everything you need to know about the Ledger security breach, and how to avoid such breaches in the future. You should look at this data breach as a valuable lesson for any kind of online shopping you do.
What is the Ledger Security Breach About?
Let’s start with what happened:
- On July 14th, a bug bounty hunter warned Ledger about a breach in its data base
- An “unauthorized third party” or hacker, gained access to Ledger customer data
- The breach exposed names, addresses, email addresses and even phone numbers of Ledger customers
- There are no reports of security breaches at any other level, so your funds should be safe
How does this Affect you?
If you think that if your private keys are safe then everything is ok, then you are wrong. Personal data is very sensitive. Hackers who have access to your address, email address, phone number and name, can use that information for:
- Social engineering attacks, in which they use the data to get your passwords from certain service providers – like your cell phone provider
- Brute force attacks on your email passwords – yes, many people still use their date of birth or other personal data in those
- Targeted attacks directed at you through your inbox – in which they pretend to be Ledger employees and persuade you to give up your mnemonic or 24-word private key backup
Violent Actors can go Even Further!
A hacker who gains access to your cell phone provider account or email, can use that information to attack you on several other fronts. Think about 2FA security mechanisms that rely on your phone number for example.
Many exchanges require an SMS code to grant you access to your account even after you type your password.
Targeted attacks in which you end up giving up your private keys are also possible. Many people fall for these man in the middle attacks and other such scams, even if they are aware of them. We are not paying attention to these at all times; our minds cannot stay in a state of constant awareness.
This is probably the deepest vulnerability that hackers might exploit. Violent actors that know you purchased a Ledger device and have your address, might attempt the infamous $5 Dollar Wrench Attack.
They will most likely use the element of surprise to get to you while your awareness level is at its lowest: at 2am when people generally sleep!
The $5 Dollar Wrench Attack
Violent attacks on cryptocurrency holders are not new. Security experts have warned about them since the earliest days of the Bitcoin booms and even before. These are popularly known as the $5 Dollar Wrench Attacks.
The premise of this type of attack is that the cheapest way to get a password or some kind of valuable piece of confidential information from you, is to tie you to a chair and beat you senseless with a $5 dollar wrench.
Unfortunately, since cryptocurrency transactions are immutable and pseudonymous – at least – it is hard to catch the attacker once you give them access to your private keys to stop the beating.
$5 Dollar Wrench Attack Precedents
A $5 Dollar Wrench Attack is not some random exaggeration or paranoid speculation. Cryptocurrency holders have suffered this kind of attack before.
On February 10th, 2019, a 39-year-old Bitcoin trader was brutally attacked in his house. His 4-year-old daughter was there. The attackers locked the girl in a room and proceeded to drill holes in the trader’s leg.
They also waterboarded the trader and hung him from his neck. The attackers were after his cryptocurrency.
So, Where is the Lesson Here?
If the hacker or hackers who got hold of Ledger customer information are violent, they might be tempted to cross-check the data with Twitter accounts or other social media accounts in which traders tend to brag about how much money they make trading Bitcoin or other cryptocurrencies. If they find someone prominent enough, they might attack them.
To avoid a dreaded $5 Dollar Wrench Attack following the Ledger security breach, you should keep the following in mind:
- Maintain the highest level of secrecy possible
- Don’t disclose the fact that you hold Bitcoin or other cryptocurrencies
- If you are afraid of exposure through previous social media posts, erase them. Erasing your social media accounts altogether might be a better step
- Make sure you have enough hardware to protect your software – to paraphrase Jameson Lopp
Following the Ledger Security Breach
Remember, if hackers have your data, there is little else you can do now. You can prevent future attacks if you take care of your vulnerabilities:
- Companies like Ledger always keep customer data for marketing purposes
- These data bases are always vulnerable – even tech giants like Twitter are vulnerable
To protect yourself:
- Use fake email addresses or email addresses that do not have your name in them
- Sign up for encrypted email addresses on services like Protonmail or Tutanota
- Get a burner phone or pay as you go phone that is not connected to your personal data and use that number for your internet accounts and purchases
- Ship everything to a PO box and if you can, get an alias for that PO box as well
Today it was Ledger, Tomorrow no One Knows!
These lessons apply to everything you buy online and every service you use online. Almost every company behaves exactly like Ledger. This security breach can happen to anyone at any given time on any kind of online retail outfit or service, whether you use Bitcoin or not. Make sure you take the necessary steps to stay safe!