Hardware wallet manufacturer Ledger is dealing with a data exposure incident involving its third-party payment processor, Global-e. According to blockchain investigator ZachXBT, who shared a notification email on X, the breach resulted in unauthorized access to Ledger users' personal information, including names and contact details, from Global-e's cloud system.
The email did not disclose the number of affected clients or the exact timing of the exploit. Global-e stated it detected unusual activity, swiftly implemented controls, and launched an investigation that confirmed the improper access. "We retained independent forensic experts to conduct an investigation into the incident and we were able to determine that some personal data including name and contact information were improperly accessed," the email said.
This marks another security incident for Ledger. In 2020, a breach via e-commerce partner Shopify exposed information of 270,000 customers. In 2023, Ledger's connector library was hacked, affecting several decentralized finance applications and resulting in nearly $500,000 in losses. Ledger's social media channels showed no active incidents at the time of reporting but urged user vigilance.
The breach occurs amid a series of recent security concerns in the crypto industry. It follows reports of unauthorized fund outflows from Trust Wallet users and phishing scams targeting MetaMask users that mimic two-factor authentication (2FA) to steal seed phrases. The Trust Wallet Chrome extension hack earlier affected roughly $7 million in user funds.
While there is no indication that wallet funds or private keys were compromised in this Ledger incident, experts warn that exposed personal data significantly increases the risk of targeted phishing campaigns and social engineering attacks against affected customers. The event highlights the growing security challenges and supply chain risks associated with third-party vendors managing sensitive customer information.
