Ledger, a leading manufacturer of hardware wallets for storing cryptocurrencies, has announced that it has fixed a security vulnerability that allowed hackers to steal crypto assets from unsuspecting users. The vulnerability, which was discovered on December 14, 2023, affected Ledger’s open source package called @ledgerhq/connect-kit, which is used by developers to integrate Ledger devices with web3 applications.
According to Ledger, the hackers managed to inject malicious code into the connect-kit package, which enabled them to replace the user’s intended recipient address with their own address during a transaction. This way, the hackers were able to divert the funds to their own wallets, without the user noticing. Ledger estimates that the hackers stole around $484,000 worth of crypto assets across 500 to 1,000 wallets1.
Table of Contents
Ledger has since removed the compromised versions of the connect-kit package and released a new version (1.1.8) that fixes the issue. Ledger also advises users to update their Ledger Live application to the latest version (2.35.2) and to always verify the recipient address on their Ledger device before confirming a transaction. Ledger says that it is working with law enforcement authorities and blockchain analysis firms to track down the hackers and recover the stolen funds2.
The connect-kit compromise is the latest in a series of security breaches that have plagued Ledger and its customers. In July 2020, Ledger’s e-commerce partner Shopify was hacked, resulting in the leak of personal information of about 272,000 Ledger customers, including email addresses, names, and postal addresses. The leaked data was later dumped on a website called Raidforums, exposing Ledger customers to phishing scams and other threats3.
Ledger has faced criticism from the crypto community for its handling of the security incidents and its lack of transparency and communication with its customers. Some users have also reported receiving unwanted tokens and NFTs from scammers, which Ledger calls “address poisoning”. Ledger warns users not to click on any links or interact with any suspicious transactions, and to hide any unwanted tokens or NFTs in Ledger Live4.
Despite the security challenges, Ledger remains one of the most popular and trusted brands in the crypto hardware wallet market, with over 3 million devices sold worldwide. Ledger claims that its devices are still safe and secure, and that its software is constantly being audited and improved. Ledger also says that it has hired a new Chief Information Security Officer (CISO) and conducted a series of penetration tests to enhance its security3.
Ledger Security Breach
In a recent development, Ledger, a leading manufacturer of hardware wallets for storing cryptocurrencies, has faced a significant security breach that has raised concerns among its users. The breach, involving a vulnerability in Ledger’s open source package called @ledgerhq/connect-kit, allowed hackers to steal crypto assets from unsuspecting users. This article aims to delve into the details of the incident, Ledger’s response, and the broader implications for the crypto community.
The Connect-Kit Compromise
The security vulnerability, discovered on December 14, 2023, enabled hackers to inject malicious code into the connect-kit package. This code manipulation allowed them to replace the user’s intended recipient address with their own during a transaction, diverting funds to their wallets without the user’s knowledge. Ledger estimates that approximately $484,000 worth of crypto assets were stolen across 500 to 1,000 wallets.
Ledger’s Response
Ledger promptly removed the compromised versions of the connect-kit package and released a new version (1.1.8) to address the security issue. The company also advises users to update their Ledger Live application to the latest version (2.35.2) and to always verify the recipient address on their Ledger device before confirming a transaction. Additionally, Ledger is collaborating with law enforcement authorities and blockchain analysis firms to track down the hackers and recover the stolen funds.
Previous Security Incidents
This incident is not the first time Ledger has faced security challenges. In July 2020, a hack of Ledger’s e-commerce partner Shopify led to the leakage of personal information of about 272,000 Ledger customers. This exposed customers to phishing scams and other threats, raising concerns about Ledger’s overall security infrastructure.
Criticism and Transparency Issues
Ledger has received criticism from the crypto community for its handling of security incidents and perceived lack of transparency and communication with its customers. The leak of personal information in 2020 and the recent connect-kit compromise have contributed to doubts about Ledger’s commitment to user security.
Address Poisoning and Unwanted Tokens
Some users have reported receiving unwanted tokens and NFTs from scammers, a phenomenon Ledger refers to as “address poisoning.” To mitigate this, Ledger warns users not to click on any links or interact with suspicious transactions and advises hiding any unwanted tokens or NFTs in Ledger Live.
Ledger’s Market Standing
Despite these security challenges, Ledger remains one of the most popular and trusted brands in the crypto hardware wallet market, with over 3 million devices sold worldwide. The company asserts that its devices are still safe and secure, emphasizing continuous software audits and improvements. Additionally, Ledger has hired a new Chief Information Security Officer (CISO) and conducted penetration tests to enhance its security.
Conclusion
The recent connect-kit compromise highlights the ongoing challenges in securing cryptocurrency assets and the importance of robust security measures in the crypto industry. Ledger’s response and future actions will likely play a crucial role in restoring user confidence and maintaining its position in the market.
Summarizing the Information
Aspect | Details |
---|---|
Incident Date | December 14, 2023 |
Vulnerability | @ledgerhq/connect-kit |
Stolen Amount | Approximately $484,000 worth of crypto assets |
Ledger’s Response | Removal of compromised connect-kit versions, release of a new version (1.1.8), and user advisories |
Collaboration Efforts | Working with law enforcement and blockchain analysis firms to track down hackers |
Previous Incidents | July 2020: Shopify hack leading to leakage of customer information |
User Criticism | Concerns about transparency, communication, and overall security measures |
Address Poisoning | Users receiving unwanted tokens and NFTs (address poisoning) |
Market Standing | Over 3 million devices sold worldwide, emphasis on ongoing security measures |
Chief Information Security Officer | Hiring a new CISO to strengthen security |
FAQ
1. What is Ledger’s connect-kit package?
Ledger’s connect-kit package is an open source package used by developers to integrate Ledger devices with web3 applications.
2. How did the recent security vulnerability occur?
The vulnerability involved hackers injecting malicious code into the connect-kit package, allowing them to replace user-intended recipient addresses during transactions.
3. How much crypto assets were estimated to be stolen in the recent incident?
Ledger estimates that approximately $484,000 worth of crypto assets were stolen across 500 to 1,000 wallets.
4. How did Ledger respond to the security breach?
Ledger promptly removed compromised connect-kit versions, released a new version (1.1.8), and advised users to update their Ledger Live application.
5. What collaboration efforts are being made to address the breach?
Ledger is working with law enforcement authorities and blockchain analysis firms to track down the hackers and recover stolen funds.
6. What previous security incidents has Ledger faced?
In July 2020, Ledger’s e-commerce partner Shopify was hacked, leading to the leakage of personal information of about 272,000 Ledger customers.
7. How does Ledger address concerns about transparency and communication?
Ledger has faced criticism for its handling of security incidents; however, the company emphasizes continuous improvement and has hired a new Chief Information Security Officer (CISO).