France-based major crypto hardware wallet manufacturer Ledger confirmed that Shopify hackers obtained Ledger customer personal information in April and June 2020.
“Along with forensic firm Orange Cyberdefense we were able to establish that it affects approximately 292,000 customers. While the database is 93% similar to those exposed in the previous attack there were approximately 20,000 new customer records including, email, name, postal address, product(s) ordered and phone number included in this breach,” the company said.
“On December 23rd, 2020 we received a notification from our e-commerce service provider, Shopify, regarding an incident involving merchant data in which rogue member(s) of their support team obtained customer transactional records, including Ledger’s,” the company said on January 13.
According to them, Shopify claims that this is related to the incident reported in September 2020, which concerns more than 200 merchants, but until December 21st, 2020, Shopify had not discovered that Ledger was also targeted in this attack.
Meanwhile, the company said that they will “soon release a technical solution that will remove the 24 words as the single pillar of the security of our hardware wallets and will open the door to funds insurance for individual customers.”
In the meantime, they urged to “NEVER SHARE YOUR [SEED] 24 WORDS WITH ANYONE.”