In response to the recent security breach, Ledger CEO Pascal Gauthier has issued a statement, reassuring the cryptocurrency community. Gauthier emphasized that the incident was an isolated event and outlined measures to bolster security moving forward.
The breach, which occurred on December 14th, involved Ledger's Javascript connector library. Gauthier revealed that the exploit was quickly detected and deactivated within just 40 minutes.
Did you know?
Subscribe - We publish new crypto explainer videos every week!
What is a Smart Contract? (Explained with Animations)
It was limited to third-party decentralized applications (dApps), ensuring Ledger's hardware and Ledger Live app remained unaffected.
The root cause of the breach was attributed to a former employee falling victim to a phishing scam, leading to their identity being exploited in the hacked code. However, Gauthier highlighted Ledger's commitment to security, stating:
We have strong access controls, internal reviews, and code multi-signatures when it comes to most parts of our development. This is the case in 99% of our internal systems. Any employee who leaves the company has their access revoked from every Ledger system.
Despite the breach, Gauthier characterized it as "an unfortunate isolated incident" and pledged to strengthen security controls. He detailed plans to connect their build pipeline to enhance software supply chain security to the NPM distribution channel, demonstrating Ledger's dedication to preventing future breaches.
Gauthier also cautioned that similar hacks could potentially target other platforms and reassured users that Ledger Connect Kit 1.1.8 remained secure. He extended gratitude to WalletConnect, Tether, Chainalysis, and ZachXBT for their assistance during this challenging period.
As noted on X (Twitter) by many users, the breach impacted various dApps, including Zapper, SushiSwap, Phantom, Balancer, and Revoke.cash, also potentially affecting other programs similar to LedgerHQ / connect-kit. It is worth noting that any Ethereum Virtual Machine user who interacted with the affected dApps may have been affected by the breach.
Initially estimated at $484,000, the hack's impact later increased to $504,000, according to Web3 security service Blockaid.