Users of the two leading cryptocurrency hardware wallets could be at risk after a hacker offered to sell personal details of thousands of the companies’ customers.
Hacker Offers HD Wallet Users’ Details
As per multiple screenshots posted to Twitter, the hacker offered to sell personal details of customers from a wide range of financial services platforms. This includes Trezor and Ledger, KeepKey, Bank to the Future, and LoanBase.
The image below shows the hacker claiming that they got the details by exploiting security vulnerabilities on Shopify – the internet-based commerce site.
The hacker also targeted users of the popular Ethereum forum, Ethereum.org. This mirrored a similar attack on Ethereum.org in 2016 when the hacker managed to extract the personal information of 16,500 ETH forum users.
Both Trezor And Ledger Deny
However, Trezor’s official Twitter channel soon posted a declaration that Trezor does not actually use Shopify, but that they would begin conducting investigations immediately.
The official Trezor announcement stated, “There are rumors spreading that our eShop database has been hacked through a Shopify exploit. Our eShop does not use Shopify, but we are nonetheless investigating the situation.”
It added, “We’ve also been routinely purging old customer records from the database to minimize the possible impact.”
Likewise, the Ledger team posted a similar message – noting that the details offered by the attacker don’t match up with their database. Regardless, they intend to investigate the claims with the appropriate seriousness.
The corresponding Ledger announcement stated:
“Rumors pretend our Shopify database has been hacked through a Shopify exploit. Our e-commerce team is currently checking these allegations by analyzing the so-called hacked DB, and so far, it doesn’t match our real DB,” it said.
The announcement added, “We continue investigations and are taking the matter seriously.”
All in all, the hacker is offering more than 200,000 user details from multiple websites and financial apps. Included are the three largest, most well-known cryptocurrency hardware wallets worldwide.
The attacker claims to have the names, addresses, email addresses, and phone numbers of the exposed users in question.
That means that if the hack is genuine, the worst to come of it will likely be phishing schemes. However, knowing the home addresses of Ledger and Trezor users could be a way to track down cryptocurrency users in general – many of whom hold significant amounts of funds in their wallets. As CryptoPotato reported in January, Trezor hardware wallets could be physically hacked.