Major cryptocurrency hardware wallet provider Ledger has alerted customers to a data breach it faced in June and July.
In an email on July 29, the company said it was made aware of the breach on July 14 when a researcher participating in its bounty program reached out with details of a potential vulnerability on their website.
While they were able to fix the breach immediately, a further investigation by the team found that an authorized third party carried out a similar action on June 25.
The individual used an API key to access the marketing and e-commerce database the company used to send promotional emails.
According to Ledger, this compromised the email addresses of almost one million people. The firm added that, for a subset of 9,500 customers, details such as first and last name, postal address and phone number were also exposed.
The company claimed the API key used to access the database has since been deactivated.
After investigating the matter in tandem with third parties and confirming the breach, Ledger said it notified the French Data Protection Authority, CNIL. Reassuring their users of their funds’ security, Ledger wrote in a blog post:
“Your payment information and crypto funds are safe […] Regarding your e-commerce data, no payment information, no credentials (passwords), were concerned by this data breach. It solely affected our customers’ contact details.”
The company also said that it is monitoring online marketplaces to find evidence of the stolen data being sold, but has found none so far.
Ledger advised users to be vigilant regarding phishing attempts by malicious scammers and said it would never ask them for their recovery phrases.