French cryptocurrency hardware wallet manufacturer Ledger disclosed on Wednesday that its e-commerce database was hacked in late June, resulting in the exposure of approximately one million customer email addresses. In addition, personal details—including first names, last names, postal addresses, and phone numbers—of roughly 9,500 customers were also accessed. Ledger emphasized that user funds and crypto assets remained safe and were never at risk.
Breach Details: API Compromise Was the Entry Point
According to Ledger’s official blog post, the breach occurred on June 25. An unauthorized third party exploited an API key—since deactivated—to gain access to the company’s marketing and e-commerce database, which is used to send order confirmations and promotional emails. Ledger discovered the vulnerability after a security researcher participating in its bug bounty program reported it on July 14. The firm fixed the issue immediately but confirmed that the vulnerability had already been exploited by a hacker weeks earlier.
The exposed data includes email addresses of all affected customers, and for 9,500 of them, full name, shipping address, and telephone number. Payment information, passwords, and private keys for crypto wallets were not compromised. “This data breach has no link and no impact whatsoever with our hardware wallets nor Ledger Live security and your crypto assets, which are safe and have never been in peril,” Ledger stated.
Response and Regulatory Steps
Ledger expressed “extreme regret” for the incident. The company filed a report with France’s data protection authority, the CNIL, on July 17, and four days later engaged cybersecurity firm Orange Cyberdefense to assess the potential damage and identify further vulnerabilities. So far, Ledger has not found evidence that the stolen data is being sold on the internet, but the firm warned users to “always be mindful of phishing attempts by malicious scammers.”
Industry Implications: Phishing Risks and Security Lessons
While the breach did not affect crypto funds directly, the leakage of personal information creates a fertile ground for targeted phishing campaigns. Attackers may craft convincing emails that appear to come from Ledger, asking recipients to reveal their recovery phrases or download malicious software. Ledger advises users to never respond to unsolicited requests for private keys or seed phrases, and to only download firmware updates from the official Ledger website.
The incident highlights a growing challenge for crypto service providers: as user bases expand, the databases storing marketing and order information become high-value targets. Hardware wallet manufacturers must now extend their security posture from the device itself to every backend system that handles customer data. The Ledger breach serves as a reminder that even companies with the strongest physical security can be vulnerable through ancillary systems.

