Ledger's 2020 customer-order leak is still fueling targeted attacks on hardware-wallet owners

Five years on, the customer-order portion of the 2020 Ledger breach continues to drive a steady trickle of phishing, swatting, and in-person threats against the people whose names, home addresses, and phone numbers appeared in the leaked files.

Ledger, a French manufacturer of hardware cryptocurrency wallets headquartered in Paris, was breached in mid-2020 through a misconfigured API. Two distinct datasets came out of that incident: a marketing list of roughly one million email addresses, and a separate, far more sensitive table of about 272,000 customer orders. The order rows include full names, mailing addresses, email addresses, and phone numbers. For every record in that file, an attacker can map a real person at a real address to the fact that they own a hardware wallet and almost certainly hold cryptocurrency.

The physical-attack vector

Email leaks are a routine inconvenience. Address leaks for crypto holders are a different category of problem. Multiple confirmed incidents since 2021 have traced their origin to this list, including home invasions and high-pressure phishing campaigns where the attackers correctly cite the victim's order date and shipping address to establish credibility.

Ledger pushed several rounds of customer notifications and a dedicated awareness campaign about the elevated phishing risk, including warning that they would never request a recovery phrase by email. The order data has not been removed from the wider dark-web ecosystem in the time since, and the original archives reseed periodically on community forums.

If your order details are in the file

The dataset is searchable here. There is no remediation that restores the lost data, but there are practical steps. Treat unsolicited support emails as hostile by default. Verify shipping or replacement requests through the company directly using a known-good URL. Consider whether a PO box would be appropriate for any future hardware-wallet purchase. If you live in a jurisdiction where physical security is a concern, treating the leaked address as compromised is the conservative read.