A HISTORY OF LEDGER DATA BREACHES

While the Bitcoin you keep in cold storage with a Ledger is safe, the information you share with them certainly is not .

If you are auditing your own personal OpSec, here is the chronological history of data exposures to keep in mind:

• June 2020 (Marketing Database): A misconfigured API key allowed unauthorized access to Ledger’s marketing database.
• Impact: Exposure of roughly 1 million email addresses and 272,000 detailed customer records (including physical addresses and phone numbers)

• September 2020 (Shopify Incident): A rogue employee at Shopify (Ledger's e-commerce partner) leaked internal merchant data.
• Impact: Approximately 292,000 customers had names, emails, and shipping details compromised.

• March 2022 (HubSpot CRM): A social engineering attack on HubSpot’s internal tools targeted several crypto-native companies.
• Impact: A subset of Ledger’s marketing and newsletter contact lists was exported, leading to a rise in highly personalized phishing.

• April 2025 (Support Platform Access): Unauthorized access to a third-party support tool used for customer inquiries.
• Impact: Exposure of support ticket metadata and contact info, allowing attackers to reference specific user issues in social engineering attempts.

• January 2026 (Global-e Breach): The most recent event involving Ledger’s third-party payment processor.
• Impact: Exposure of shipping and contact information for customers who purchased through the Ledger website storefront.

The Takeaway:
These incidents underscore a persistent reality with Ledger: The device may be safe, but the e-commerce trail is often the weakest link.

Always try to buy hardware wallets in person with cash