Out of #Ledger's ~1M leaked emails, ~750K are also found in other breaches (@haveibeenpwned). Matching them reveals a total of ~730K real names, ~625K phone numbers and ~540K physical addresses. Take appropriate counter-measures e.g. as discussed by @aantonop, @tayvano_, @lopp.
More affected users:
- ~120K: their password hints,
- ~32K: their security QandA,
- ~33K: their income levels (via Exactis),
- ~20K: their wallet balances (on BTCE)
- ~10K: BitcoinTalk username + website activity
- ~10K: passport numbers
- ~3K: their IMEI/IMSI numbers
I still consider @Ledger to be one of the best hardware wallets out there and I don't want to discourage usage of hardware wallets. However, the scope and potential risks of the data leak have been severely under-estimated and -reported IMHO.
We need discussion about if and how to collect and store customer info (in anonymised and encrypted form). Customers buying crypto-related items should be made aware of all of this in the ordering process - although they should still assume all data to be leaked eventually.
Question at @haveibeenpwned: Is there an option to have your search results sorted by data class first instead of pwned website? This would be very helpful to estimate the impact of cross-referencing leaks.
• • •
Missing some Tweet in this thread? You can try to
force a refresh