What we know about Ledger and Shopify's class-action lawsuit

A message on a hook, which is what phishing victims metaphorically received after Ledger customer details were leaked on the dark web last year.

Two phishing victims are taking legal action against crypto wallet maker Ledger and consumer giant Shopify for allowing their personal data to leak on the dark web.

The class-action lawsuit alleges Shopify’s information leak in April 2020 led to phishers scheming about $340,000 in cryptocurrency (at current prices) from the plaintiffs.

The leak, which involved Shopify employees exploiting a database vulnerability, exposed personal info of 273,000 Shopify users, a third of whom were based in the US. Shopify handles payments for the Paris-headquartered Ledger.

Months later, researchers discovered a data-set related to around 270,000 Ledger customers on hacker forums. The data included emails, addresses, phone numbers, and purchases.

Hackers used those details to contact potential victims. In one instance, they posed as the non-profit Stellar Development Foundation, which powers XLM’s growth, to lend credibility to their ruse.

Lawyers detail how one of the crypto-phishing incidents went down.

It’s unclear how phishers stole the other plaintiff’s cryptocurrency. They together lost 4.2 BTC ($252,000), 11 ETH ($23,700), and 150,000 XLM ($57,700).

Ledger customers would’ve opted for another crypto wallet, says lawyer

Aside from compensation for the lost crypto, the plaintiffs are seeking damages for ongoing security concerns, threats, and additional risks of theft.

Lawyers also accused both companies of covering up the full extent of the incident.

Roche-Freedman — a US law firm experienced in bringing class-action lawsuits against the biggest names in the crypto industry — is representing both parties.

The firm’s lawyers highlighted Ledger’s own marketing which claimed: “If you don’t want to get hacked, get a Ledger wallet.”

Roche-Freedman argues the plaintiffs wouldn’t have purchased Ledger devices had they known their data was at risk.

A source familiar with the matter told Protos: “Though the seed phrases weren’t leaked, it’s fair to argue that without the information leaked the plaintiffs wouldn’t have fallen for such sophisticated phishing scams.”

A class-action lawsuit means there could be more plaintiffs

The main focus of the suit regards the danger associated with exposed Ledger customer data. However, every American citizen whose data was leaked in the Shopify breach can take part if it goes to trial.

Protos understands the suit could hypothetically include over 90,000 individuals.

Ledger’s general counsel said in a statement (via the Block) that the company doesn’t comment on ongoing legal issues.

Anyone affected in the US can join the suit against Ledger and Shopify.

“Ledger would however like to take this moment to remind our customers, yet again, never to divulge their 24 words and validate the identity of the recipient of your transactions. You are in sole and total control of access to your funds,” they added.

Shopify didn’t immediately respond to queries and we’ll update this article if we hear back.

Aside from Ledger and Shopify, Roche-Freedman has ongoing litigation involving other entities in the crypto industry including Bitfinex, Binance, BitMEX, Kucoin, and TRON.