Cybersecurity firm Under The Breach today published a hacker’s claims that hardware wallet users’ data was for sale. Trezor and Ledger have said they are investigating the breach.
May 24 2020 | AtoZ Markets – A hacker is reportedly selling stolen data from three popular hardware wallets—prompting an investigation by at least two of the companies allegedly involved.
Hacker reportedly compromised Ledger and Trezor user data
The hacker claims to have stolen data from Trezor, Ledger and Shapeshift’s wallet, KeepKey. The allegations were republished on Twitter today by cybersecurity firm Under The Breach.
The Ethereum forum hacker is now selling the databases of @Trezor and @Ledger.— Under the Breach (@underthebreach) May 24, 2020
Both of which obtained from a @Shopify exploit.
(suggesting there are many more underground leaks).
The hacker also claims he has the full SQL database of famous investing site @BankToTheFuture. pic.twitter.com/4M3f2bQKvB
Under The Breach explained that the data was stolen through exploiting a vulnerability to the popular e-commerce website platform Shopify. The three databases contain the name, address, phone number, and email for more than 80,000 users combined, however, they do not contain passwords for the accounts.
There are rumors spreading that our eshop database has been hacked thru a Shopify exploit. Our eshop does not use Shopify, but we are nonetheless investigating the situation. We've been also routinely purging old customer records from the database to minimize the possible impact.— Trezor (@Trezor) May 24, 2020
Moreover, the hacker specifies he is only interested in premium bids, stating: “Don’t offer me low dolar, only big money allowed.” The hacker was responsible for hacking the Ethereum forum back in 2016.
Trezor and Ledger are investigating the breach
Screenshots published by Under The Breach show that the hacker claims to have the full SQL database for investment platform BnkToTheFuture. Under The Breach said it contacted BnkToTheFuture but “couldn’t get them to take it seriously.”
But two of the other companies did take the allegations seriously. Trezor said on Twitter that it didn’t use Shopify—making a Shopify-related hack impossible.
“We are nonetheless investigating the situation,” the company said. “We’ve been also routinely purging old customer records from the database to minimize the possible impact.”
Ledger also put out a statement saying it is “taking the matter seriously.”
Rumors pretend our Shopify database has been hacked through a Shopify exploit. Our ecommerce team is currently checking these allegations by analyzing the so-called hacked db, and so far it doesn’t match our real db. We continue investigations and are taking the matter seriously.— Ledger (@Ledger) May 24, 2020
At the time of writing, ShapeShift, the company that owns KeepKey, is yet to comment on the allegations. ShapeShift did not respond to questions from AtoZ Markets by press time but we will update this story with responses.
What do you think of the fact that the hacker has stolen the information of more than 80,000 users? Don’t hesitate to let us know in the comments below!