Leading crypto hardware wallet service provider Ledger has alerted its users to a recent security breach it faced earlier in June and July.
Within an official email on 29th July, the company revealed, it was made aware of the breach earlier on 14th July when a researcher participating in its bounty program reached out with details of a possible vulnerability on their website.
While they were fixed the breach immediately, an extra investigation by the team found that a licensed third party carried out an identical action earlier on 25th June.
The individual used an API key to access the marketing and e-commerce database the corporate employed to transfer promotional emails.
In line with Ledger, this compromised the e-mail addresses of almost a million people. The firm added that, for a subset of 9,500 users, details like their names, postal address as well as telephone number were also exposed.
The company claimed the API key employed to access the database has since been deactivated.
After investigating the matter in tandem with 3rd parties and confirming the breach, Ledger added it notified the French Data Protection Authority, CNIL. Reassuring their users of their funds’ security, Ledger wrote within an official web-blog post:
“Your payment information and crypto funds are safe […] Regarding your e-commerce data, no payment information, no credentials, were concerned by this data breach. It solely affected our customers’ contact details.”
The company also said that its monitoring online marketplaces to seek out evidence of the stolen data being sold, but has found none thus far.
Ledger advised users to be vigilant regarding phishing attempts by malicious scammers and said it might never ask them for their recovery phrases.