Hardware wallet giant Ledger is grappling with a data exposure incident, this time linked to its third-party payment processor, Global-e.
An email message sent to customers by Global-e and originally shared by pseudonymous blockchain practitioner ZachXBT on X said the breach involved unauthorized access to Ledger users’ personal details such as names and contact information from Global-e’s cloud system.
The email did not reveal the number of clients affected or specify when the exploit occurred.
In 2020, Ledger experienced a data breach that exposed information on 270,000 customers through e-commerce partner Shopify. In 2023, the Ledger was hacked for nearly $500,000, affecting several decentralized finance applications.
Global-e said it detected unusual activity and quickly implemented controls while launching an investigation which confirmed the improper access.
“We have retained independent forensic experts to conduct an investigation into the incident and were able to determine that some personal data, including name and contact information, was improperly accessed,” the email said.
Ledger’s social media channels do not show any active incidents, and are still urging vigilance.
In an email response to CoinDesk, Ledger emphasized that the breach occurred at Global-e, adding that the payment processor sent the email notification to customers because it is the data controller.
“Ledger was made aware of an incident at Global-e, an e-commerce partner for global brands and retailers, including Ledger,” the company told CoinDesk. “This incident consisted of unauthorized access to order data in Global-e information systems. Some of the data accessed as part of this incident related to customers who made a purchase on Ledger.com using Global-e as Merchant of Record.
“This was not a breach of Ledger’s platform, hardware or software systems, which remain secure. For the avoidance of doubt, as the Ledger product is self-preserving, Global-e does not have access to your 24 words, blockchain balance or any secrets related to digital assets,” it said.
Ledger further explained that customers’ payment information was not involved in the breach and it is working with Global-e to reach out to affected users with relevant information.
“We remain united with the industry in the war against hackers and bad actors who are relentlessly trying to steal user information in the ecosystem and the e-commerce space in general,” Ledger said.
CORRECT (January 5, 12:47 UTC): Changing email sender to Global-e, an earlier version of the story said it had been sent by the Ledger. Adds Ledger confirmation, comment.
