Ledger has reiterated a promise made by its CEO and chairman that users who lost a combined total of about $600,000 to a security breach will be made whole.
Users who had their assets stolen in the Thursday (Dec. 14) attack, including those who are not Ledger customers, will be made whole, the crypto wallet firm said in a Wednesday (Dec. 20) post on X.
“We commit, by any way possible, to including gesture of goodwill, to make sure this is done by the end of February,2024,” Ledger said in the post. “We are already in contact with many impacted users and are actively working through the specifics with them.”
Ledger CEO and Chairman Pascal Gauthier said in a Thursday (Dec. 14) post on X: “My personal commitment: Ledger will dedicate as much internal and external resources as possible to help the affected individuals recover their assets.”
In the Dec. 14 security breach, hackers inserted malicious code into Ledger’s widely used blockchain software, Connect Kit, which allows DeFi protocols to connect with crypto hardware wallets.
In a security incident report posted on its website on Wednesday, Ledger said: “This exploit injected malicious code inside DApps that were using Ledger Connect Kit, tricking EVM DApps users into signing transactions that drain their wallets. The exploit was quicky spotted and a resolution was implemented briefly after. In the meantime, a low volume of users fell into the attack and signed transactions draining their wallet.”
Following the security breach, Ledger is reviewing and auditing access controls on the internal and external systems it uses; reinforcing its policies around code review, deployment, distribution and access controls; and conducting recurring internal audits to make sure this is properly implemented, according to the report.
The company will also reinforce its infrastructure monitoring and alerting systems so that it can speed up its detection and reaction to future incidents, per the report.
“Finally, we’ll double down on preventing Blind Signing, removing it as an option for Ledger users to ensure utmost security practices, and educate users on the potential impact of signing transactions without either a secure display or understanding what they are signing by not using Clear Signing,” the company said in the report.