Ledger reveals data breach with e-commerce partner: How vulnerable are your crypto wallets?

The manufacturer of crypto wallets Ledger has announced a security breach on the platform of its e-commerce partner Global-e. However, the company assures that the security of its own hardware and software wallets has not been compromised. No private keys, transaction data, or payment information of customers were disclosed in the security incident.

The Paris-based company Ledger has 12 years of experience in developing and selling crypto wallets. With over 7.5 million devices sold worldwide, Ledger claims to secure about one-fifth of all global cryptocurrencies. User trust in the security of these devices is being tested by the current situation, even though the direct wallets were not affected.

What actually happened at Global-e?

Global-e is an international e-commerce and payment platform that enables brands to sell their products across borders. The Israeli company is listed on Nasdaq under the ticker GLBE and serves hundreds of retailers—including well-known names like Victoria’s Secret, Adidas, Alo Yoga, and Marc Jacobs.

The unauthorized access specifically affected order management systems on the Global-e platform. Information from some customers who made purchases on Ledger.com via Global-e as the payment processor was collected. A Ledger spokesperson told Decrypt that this was an isolated incident on Global-e’s servers, not on Ledger’s own systems.

The good news: Since Ledger offers self-custody products, Global-e never had access to critical security information of customers. Neither the 24-word recovery phrases nor crypto holdings or other sensitive data related to digital assets were compromised. Payment information was also not affected by the data breach.

How is Ledger responding to the security breach?

The company has proactively hired independent forensic experts to investigate the incident. They will analyze the causes of the security vulnerability and ensure that such incidents do not happen again. This step demonstrates the company’s transparency and security awareness.

This incident is part of a series of security events linked to third-party systems in Ledger’s environment. In December 2023, the company reported unauthorized access to its Ledger Connect Kit, caused by a phishing attack on a former employee. At that time, Ledger warned users against further use of certain decentralized applications (dapps). These series of incidents highlight the importance of multi-layered security measures in the crypto industry.

For Ledger crypto wallet users, the key message remains clear: your digital assets are protected by the self-custody architecture of these devices, even if external platforms you use for shopping are affected by security incidents. Ledger’s active investigation and transparent communication help maintain trust in this security solution.