Hardware wallet maker Ledger has disclosed a breach affecting its marketing and e-commerce database, with approximately one million customer email addresses exposed. The company said the incident did not affect user funds, and stressed that its hardware wallets and Ledger Live platform remained secure.
Customer contact and order data were exposed
According to Ledger’s public statement, the compromised system was tied to its marketing and e-commerce operations, which are used for order confirmations and promotional communications. In addition to email addresses, some customer contact and order-related information was also accessed.
For a subset of roughly 9,500 customers, the leaked data was more sensitive, including first and last names, postal addresses, and phone numbers. Ledger said the attacker accessed the database through an API key that has since been deactivated.
The flaw was reported in July, but had already been exploited in June
Ledger said a researcher participating in its bug bounty program identified the vulnerability and reported it on July 14. The company moved to fix the issue, but later determined that an unauthorized third party had already exploited the weakness on June 25.
The breach therefore appears to have begun before the internal response was triggered. Ledger said the vulnerability has now been patched and emphasized that payment information, passwords, and crypto assets were not compromised.
In its statement, the company drew a firm distinction between the exposed business database and its core wallet infrastructure, saying the incident had “no link and no impact whatsoever” on the security of Ledger hardware wallets or Ledger Live. For users concerned about direct asset loss, this is a critical detail: the compromised data was related to customer records and communications systems, not wallet private keys or custody mechanisms.
Regulatory reporting and incident response
Ledger described the breach as deeply regrettable and said it had taken steps to escalate the matter with both regulators and cybersecurity specialists. The company reported the incident to France’s data protection authority, the CNIL, on July 17. Four days later, it said it partnered with Orange Cyberdefense to assess potential damage and investigate whether the leaked information had spread further.
At the time of disclosure, Ledger said it had not found evidence that the stolen data was being sold online. Even so, the company warned customers to stay alert for phishing attempts and impersonation scams, a common risk after database breaches involving email addresses and personal contact details.
Why the breach matters even without stolen funds
Although no wallets were drained and no passwords or payment data were reportedly exposed, the incident remains significant because of the kind of information involved. Email addresses, phone numbers, and physical mailing addresses can be valuable to attackers seeking to run targeted phishing campaigns or social engineering operations.
For crypto users in particular, personal data linked to wallet purchases can carry heightened sensitivity. A breach of this kind may not compromise private keys directly, but it can create downstream security risks by helping malicious actors identify likely crypto holders and contact them with convincing fraudulent messages.
That distinction is at the center of Ledger’s response. The company’s message is that the security of customer assets was not in peril, but the exposure of personally identifiable information still demands caution from affected users. In practical terms, customers may need to treat future emails, texts, or calls appearing to come from Ledger with increased skepticism.
The case also highlights a broader issue in the crypto industry: companies that build their brands around wallet security can still face major reputational and operational fallout when adjacent systems—such as e-commerce databases, marketing tools, or customer support infrastructure—are compromised. Even when the core product remains secure, the surrounding data environment can become a weak point.
Ledger said it is continuing to monitor for signs that the stolen information is circulating online. Until more is known, the company’s main advice remains straightforward: users should stay vigilant, avoid clicking suspicious links, and be cautious of any unsolicited communication that references Ledger, account verification, device updates, or urgent asset protection steps.

