Ledger will return $600,000 to users affected by the hack that exploited the blind signatures feature on its hardware wallets.
According to the Ledger’s Dec. 20 announcement, the company is also working to prevent similar signatures in the future and aims to implement a new security standard built around clear signatures. This will increase user protection and improve the transparency of DApps.
By June 2024, Ledger devices will no longer support blind signatures. Instead, there will be a new security standard using clear signatures. This will increase user protection and improve the transparency of DApps.
Ledger also advises users who signed transactions in affected DApps during the hack to cancel authorized transactions. This should minimize the impact of the attacker’s malicious code.
What happened on Dec. 14?
The hack occurred on Dec. 14. A hacker replaced the real Ledger Connect Kit with a fake one, but users’ physical devices and the Ledger Live app were not affected.
The breach involved the hacker gaining access to the NPMJS service account through a phishing attack targeting a former Ledger employee. The attacker used WalletConnect to withdraw funds. This action triggered the deactivation of the scammer’s wallet.
Subsequently, Ledger promptly removed the malicious file from its system, which had been present for approximately 5 hours.
At the time of the incident, Ledger did not disclose the extent of the damage. However, the company stated that it had reached out to affected users to discuss compensation.
Ledger’s other security issues
This isn’t the first time Ledger has faced security issues. Crypto analyst ZachXBT reported a fake Ledger Live app in the Microsoft Store in Nov. It is known that it appeared on Oct. 19.
Three years ago, hackers successfully breached Ledger users’ personal data in an incident that took place on Jun. 25, 2020. The attackers gained unauthorized access to a list of customers’ names, addresses, and phone numbers by exploiting an API key.
The recent breach has led to criticism of Ledger. Many users didn’t understand why a former employee had access to the data, according to comments under the company’s post.