Hardware wallet providers Trezor and Ledger have announced that their security teams are investigating reports that a hacker has stolen customer information from their systems and is offering that data for sale online.
The incident reportedly also affects users of KeepKey, a hardware wallet associated with the cryptocurrency platform ShapeShift.
According to cybersecurity monitor Under The Breach, the same attacker claims to have obtained the full SQL database of the investing platform BankToTheFuture.
The Ethereum forum hacker is now selling the databases of @Trezor and @Ledger.
Both of which obtained from a @Shopify exploit.
(suggesting there are many more underground leaks).
The hacker also claims he has the full SQL database of famous investing site @BankToTheFuture. pic.twitter.com/4M3f2bQKvB— Under the Breach (@underthebreach) May 24, 2020
Under The Breach published screenshots that it says show listings where the hacker offered the data for sale. The advertised information reportedly includes users’ names, email addresses, phone numbers and postal addresses; the listings do not appear to include account passwords.
The monitor alleges the attacker obtained the personal details by exploiting Shopify, the e-commerce platform used by many online merchants.
BankToTheFuture reportedly did not immediately treat the claims as credible. At the time of reporting, ShapeShift had not issued a statement about the alleged leak and sale of KeepKey user data.
Both Trezor and Ledger did respond on Twitter, saying they were treating the reports seriously and investigating.
Trezor emphasized that its online store does not use Shopify, calling the reports “rumors,” but said it was nonetheless looking into the matter. The company added that it routinely purges old customer records from its databases to reduce potential impact in the event of a breach.
There are rumors spreading that our eshop database has been hacked thru a Shopify exploit. Our eshop does not use Shopify, but we are nonetheless investigating the situation. We’ve been also routinely purging old customer records from the database to minimize the possible impact.
— Trezor (@Trezor) May 24, 2020
Ledger also confirmed it was investigating and said it had compared screenshots circulating on social media with its internal records; the company reported that the screenshots did not match its database.
The attacker is believed to be the same individual linked to a 2016 breach of the Ethereum forum. Under The Breach published screenshots in which the hacker asserted the data’s authenticity and indicated they would only accept “big money” offers for it.
Shopify has publicly stated it found no evidence that its systems were compromised. Candice So, a communications manager at Shopify, told crypto publication Decrypt that Shopify investigated the claims and found no substantiating evidence of a breach or any compromise of Shopify’s systems.
At the time of publication, neither Ledger nor Trezor had released a final statement detailing the outcomes of their investigations.