Ledger CEO Pascal Gauthier doesn’t believe a hack on Thursday did much damage
Ledger CEO Pascal Gauthier recently addressed the wallet’s December 14 hack, saying in a company blog post that it is working with authorities to “find this bad actor, bring them to justice.” He stated that the hack of Ledger’s Javascript connector library was an “isolated incident” and pledged there would be stronger security control moving forward.
Gauthier said the exploit was halted within 40 minutes after it was discovered, running for less than two hours and confined to third-party decentralized applications (DApps). He said a former employee who was the victim of a phishing scam made the breach possible and that their identity was supposedly left behind in the hacked code. The Ledger Live platform and Ledger hardware were not impacted.
My personal commitment: Ledger will dedicate as much internal and external resources as possible to help the affected individuals recover their assets.
— Pascal Gauthier @Ledger (@_pgauthier) December 14, 2023
“The standard practice at Ledger is that no single person can deploy code without review by multiple parties. We have strong access controls, internal reviews, and code multi-signatures when it comes to most parts of our development. This is the case in 99% of our internal systems. Any employee who leaves the company has their access revoked from every Ledger system,” he added.
Gauthier called the hack “an unfortunate isolated incident,” vowing that in the future, “Ledger will implement stronger security controls, connecting our build pipeline that implements strict software supply chain security to the NPM distribution channel.”
This kind of breach could happen to others, Gauthier said, adding that Ledger Connect Kit 1.1.8 is secure and ready for use. He also thanked Tether, Chainalysis, WalletConnect and ZachXBT for their assistance.
The extent of the hack was initially evaluated at $484,000, but Blockaid, a Web3 security service, later said the total had grown to $504,000 by 8 PM UTC. Ledger added that any Ethereum Virtual Machine user who interacted with DApps could also be affected.
Emma Rodriguez is the Proofreader at the Big Blind, with seven years of experience and five years in online gambling. She plays a crucial role in maintaining content quality by ensuring error-free, reader-friendly information about the gambling industry.