Hardware wallet providers — Trezor and Ledger — have said their security teams are investigating claims that a hacker has stolen information from their databases, and is now selling customer data online.
The breach also affects users of KeepKey, another popular crypto hardware wallet by cryptocurrency platform, Shapeshift.
According to Under The Breach the hacker had also breached the “full SQL database of famous investing site BankToTheFuture.”
The Ethereum forum hacker is now selling the databases of @Trezor and @Ledger.
Both of which obtained from a @Shopify exploit.
(suggesting there are many more underground leaks).The hacker also claims he has the full SQL database of famous investing site @BankToTheFuture. pic.twitter.com/4M3f2bQKvB
— Under the Breach (@underthebreach) May 24, 2020
The cybersecurity firm posted screenshots that purportedly show adverts the hacker had published for sale of the data. The data includes users’ email addresses, names, phone numbers and addresses. The advertisements do not include users’ passwords.
Under The Breach claims that the hacker “obtained” the personal details via an exploit at e-commerce platform Shopify.
According to Under The Breach, BankToTheFuture did not take the claims seriously. By the time of going to press, ShapeShift had also not released any statement about the alleged hack and subsequent sale of its users’ data.
Trezor and Ledger nonetheless did take the allegation seriously and posted responses on Twitter.
Trezor noted that it had taken the “rumors” seriously although it maintains the platform “does not use Shopify.” In this case its view is that accessing Trezor users’ data via an exploit of its Shopify e-shop was highly impossible.
There are rumors spreading that our eshop database has been hacked thru a Shopify exploit. Our eshop does not use Shopify, but we are nonetheless investigating the situation. We’ve been also routinely purging old customer records from the database to minimize the possible impact.
— Trezor (@Trezor) May 24, 2020
The company however revealed it was investigating the matter.
“We’ve been also routinely purging old customer records from the database to minimize the possible impact,” Ledger added in the tweet.
Ledger posted that it had taken the matter seriously and continues to investigate. However, the company had compared “screenshots shared on social media” with its database, and “it doesn’t match.”
The alleged compromise on Ledger and Trezor is by the same hacker who breached the Ethereum forum in 2016. Screenshots from Under The Breach shared on Twitter have the hacker claiming the authenticity of the data. They will also only accept “big money” in exchange for the data.
Shopify has reportedly said no such compromise occurred. According to Candice So, a communications manager at the e-commerce giant, there has been no evidence to suggest a breach took place.
“We investigated these claims and found no evidence to substantiate them, and no evidence of any compromise of Shopify’s systems,” So told crypto publication Decrypt.
Neither Ledger or Trezor have released statements regarding their respective investigations.