Ledger CEO explains hack, calls it ‘isolated incident’

399
SHARES
2.3k
VIEWS



Ledger CEO Pascal Gauthier has addressed the Dec. 14 hack of the wallet provider’s hack in a post on the company’s blog. He said the hack of Ledger’s Javascript connector library was an “isolated incident” and promised stronger security control. 

The exploit ran for less than two hours and was deactivated within 40 minutes of discovery and was limited to third-party DApps, Gauthier said. It was made possible after a former employee fell victim to a phishing scam, he said. That employee’s identity was allegedly left behind in the hacked code. Ledger hardware and the Ledger Live platform were not affected. Furthermore:

“The standard practice at Ledger is that no single person can deploy code without review by multiple parties. We have strong access controls, internal reviews, and code multi-signatures when it comes to most parts of our development. This is the case in 99% of our internal systems. Any employee who leaves the company has their access revoked from every Ledger system.”

Gauthier went on to call the hack “an unfortunate isolated incident.” Now, he promised:

“Ledger will implement stronger security controls, connecting our build pipeline that implements strict software supply chain security to the NPM distribution channel.”

A hack of this type could happen to others, Gauthier added. Ledger Connect Kit 1.1.8 is safe and ready to use, Gutheir said. He thanked WalletConnect, Tether, Chainalysis and zachxbt for assistance.

Related: Ledger patches vulnerability after multiple DApps using connector library were compromised

The size of the hack was originally estimated at $484,000, but Web3 security service Blockaid later told Cointelegraph that the sum had risen to $504,000 by 20:00 UT. The hack could affect any EVM user that interacted with affected DApps, the company added.

Magazine: $3.4B of Bitcoin in a popcorn tin: The Silk Road hacker’s story