Crypto wallet firm Ledger faces new data breach through Global-e partner

Hardware wallet giant Ledger is grappling with a data exposure incident, this time linked to its third-party payment processor, Global-e.

An email notification sent to customers by Global-e and initially shared by pseudonymous blockchain sleuth ZachXBT on X said the breach involved unauthorized access to Ledger users’ personal details like names and contact information from Global-e’s cloud system.

The email did not disclose the number of clients affected or specify when the exploit occurred.

In 2020, Ledger experienced a data breach that exposed information of 270,000 customers through e-commerce partner Shopify. In 2023, Ledger was hacked for nearly $500,000, affecting several decentralized finance applications.

Global-e said it detected unusual activity and swiftly implemented controls while launching an investigation, which verified the improper access.

“We retained independent forensic experts to conduct an investigation into the incident and we were able to determine that some personal data including name and contact information were improperly accessed,” it said in the email.

Ledger’s social media channels show no active incidents, urging vigilance yet.

In an email response to CoinDesk, Ledger emphasized that the breach occurred at Global-e, adding that the payment processor sent the email notification to customers because it is the data controller.

“Ledger was made aware of an incident at Global-e, an e-commerce partner for global brands and retailers, including Ledger,” the company told CoinDesk. “This incident consisted of unauthorized access to order data in Global-e information systems. Some of the data accessed as part of this incident pertained to customers who made a purchase on Ledger.com using Global-e as a Merchant of Record.

“This was not a breach of Ledger’s platform, hardware or software systems, which remain secure. For the avoidance of doubt, as the Ledger product is self-custodial, Global-e does not have access to your 24 words, blockchain balance, or any secrets related to digital assets,” it said.

Ledger explained further that clients’ payment information wasn’t involved in the breach and it is working with Global-e to reach out to affected users with relevant information.

“We remain united with the industry at war against hackers and bad actors who are tirelessly trying to steal users’ information in the ecosystem and e-commerce space at large,” Ledger said.

CORRECT (Jan. 5, 12:47 UTC): Changes email sender to Global-e, an earlier version of the story said it had been sent by Ledger. Adds Ledger confirmation, comment.