decrypt.co
A hacker is reportedly selling stolen data from three popular hardware wallets—prompting an investigation by at least two of the companies allegedly involved.
The hacker claims to have stolen data from Trezor, Ledger and Shapeshift’s wallet, KeepKey. The allegations were republished on Twitter today by cybersecurity firm Under The Breach.
The Ethereum forum hacker is now selling the databases of @Trezor and @Ledger.
Both of which obtained from a @Shopify exploit.
(suggesting there are many more underground leaks).The hacker also claims he has the full SQL database of famous investing site @BankToTheFuture. pic.twitter.com/4M3f2bQKvB
— Under the Breach (@underthebreach) May 24, 2020
Under The Breach added that the data was stolen due to an exploit of e-commerce website Shopify. It posted screenshots in which the hacker advertised that the names, addresses, phone numbers and emails of the hardware wallet users were for sale. Passwords were not included.
There are rumors spreading that our eshop database has been hacked thru a Shopify exploit. Our eshop does not use Shopify, but we are nonetheless investigating the situation. We've been also routinely purging old customer records from the database to minimize the possible impact.
— Trezor (@Trezor) May 24, 2020
“Only big money” would be accepted for the data, the hacker said, according to another screenshot published by Under The Breach. The hacker was responsible for hacking the Ethereum forum back in 2016.
Screenshots published by Under The Breach show that the hacker claims to have the full SQL database for investment platform BnkToTheFuture. Under The Breach said it contacted BnkToTheFuture but “couldn't get them to take it seriously.”
But two of the other companies did take the allegations seriously.
Trezor said on Twitter that it didn’t use Shopify—making a Shopify-related hack impossible. “We are nonetheless investigating the situation,” the company said. “We've been also routinely purging old customer records from the database to minimize the possible impact.”
Ledger also put out a statement saying it is “taking the matter seriously.”
Rumors pretend our Shopify database has been hacked through a Shopify exploit. Our ecommerce team is currently checking these allegations by analyzing the so-called hacked db, and so far it doesn’t match our real db. We continue investigations and are taking the matter seriously.
— Ledger (@Ledger) May 24, 2020
ShapeShift, the company that owns KeepKey, had not commented on the allegations by the time this article was published. ShapeShift did not respond to questions from Decrypt by press time but we will update this story with responses.