Crypto hardware wallet manufacturer Ledger began notifying customers on January 5, 2026, that personal data was exposed after hackers breached Global-e, a third-party e-commerce platform Ledger uses for some online purchases. The breach affects an undisclosed number of customers who bought through Ledger.com when Global-e served as the Merchant of Record.
Incident overview
| Attribute | Details |
|---|
| Disclosure date | January 5, 2026 |
| Breached entity | Global-e (third-party payment processor) |
| Affected company | Ledger (and other Global-e clients) |
| Breach type | Cloud system unauthorized access |
| First reported by | ZachXBT (blockchain investigator) |
| Ledger systems compromised | No |
| Global-e system compromised | Yes (cloud-based order system) |
What was exposed
Global-e confirmed the stolen data includes:
| Data type | Exposed | Risk |
|---|
| Customer names | Yes | Identity correlation |
| Postal addresses | Yes | Physical targeting |
| Email addresses | Yes | Phishing campaigns |
| Telephone numbers | Yes | SIM swapping, vishing |
| Order numbers | Yes | Social engineering |
| Products purchased | Yes | Confirms crypto ownership |
| Prices paid | Yes | Value estimation |
What was NOT exposed
Ledger emphasized that the most sensitive data remained secure:
| Data type | Status | Reason |
|---|
| 24-word recovery phrases | Not exposed | Not stored by Global-e |
| Private keys | Not exposed | Not accessible through e-commerce |
| Cryptocurrency balances | Not exposed | Self-custodial; not visible to third parties |
| Payment card details | Not exposed | Not included in breach scope |
| Ledger account credentials | Not exposed | Separate from Global-e systems |
| Wallet firmware | Not exposed | Device-based, not cloud-stored |
“This was not a breach of Ledger’s platform, hardware or software systems, which remain secure. For the avoidance of doubt, as the Ledger product is self-custodial, Global-e does not have access to your 24 words, blockchain balance, or any secrets related to digital assets.”
— Ledger statement
Discovery timeline
| Date | Event |
|---|
| Late December 2025 | Global-e detects unauthorized access (estimated) |
| January 5, 2026 | Global-e notifies affected brands |
| January 5, 2026 | ZachXBT shares notification email on X |
| January 6, 2026 | Ledger publishes support article |
| January 6, 2026 | Phishing campaigns targeting victims detected |
| Ongoing | Global-e forensic investigation continues |
Broader impact
Ledger was not the only brand affected. Global-e’s cloud-based system contained order data from multiple major brands.
Known Global-e clients
| Category | Brands |
|---|
| Fashion | Burberry, Hugo Boss, Ralph Lauren, Givenchy, Michael Kors |
| Entertainment | Netflix, Disney Store |
| Sports | Adidas, Wimbledon |
| Technology | Ledger |
| Audio | Bang & Olufsen |
| Retail | M&S |
The scope of the breach across other brands has not been publicly disclosed. Global-e stated it is “currently notifying all potentially affected individuals and relevant regulators directly.”
Additional known impact
| Company | Disclosure |
|---|
| Multiple major retailers | Likely affected, not yet disclosed |
| Consumer brands | Customer notifications expected |
Global-e’s response
| Action | Details |
|---|
| System isolation | Affected systems isolated immediately |
| Security containment | Threat activity contained |
| Notifications | Contacting affected individuals and regulators |
| Investigation | Ongoing forensic review |
| Third-party IR | Engaged external security firm |
Phishing campaigns already active
Within hours of disclosure, users reported a surge in phishing attempts specifically targeting Ledger owners.
Fake Ledger-Trezor merger campaign
Cybercriminals launched a particularly sophisticated campaign:
| Element | Details |
|---|
| Theme | Fake merger between Ledger and Trezor |
| Claim | Users must “migrate” wallets due to merger |
| Request | Enter 24-word recovery phrase |
| Infrastructure | Professional-looking phishing sites |
| Goal | Steal recovery phrases and drain wallets |
Common scam patterns
| Scam type | Description | Risk |
|---|
| Replacement device emails | Claims Ledger device needs replacement | Credential theft |
| Firmware update notices | Urgent “security update” notifications | Malware delivery |
| Support calls | Phone calls requesting account verification | Social engineering |
| Physical packages | Fake replacement devices mailed to addresses | Compromised hardware |
| QR code scams | Links to “verify” wallet via malicious sites | Credential theft |
| SMS phishing | Text messages with urgent action required | Link clicking |
Ledger’s warning
“Ledger will never send physical items or ask you to scan QR codes, visit websites, or share your 24-word recovery phrase.”
Why this matters for crypto holders
Address data combined with known Ledger ownership creates targeting risk beyond typical phishing:
| Risk | Threat | Severity |
|---|
| Physical theft targeting | Attackers know you own crypto hardware and where you live | Critical |
| Social engineering | Scammers can reference your actual purchase details | High |
| SIM swapping setup | Phone numbers enable account takeover attacks | High |
| ”Wrench attack” risk | Physical coercion to hand over crypto | Critical |
| Targeted burglary | Known high-value asset holder | High |
| Stalking/surveillance | Physical address compromised | High |
| Family targeting | Criminals may target family members | High |
Crypto holders should consider whether their delivery address creates personal safety concerns.
Ledger’s breach history
This is not Ledger’s first third-party data exposure:
| Year | Incident | Records affected | Source |
|---|
| 2020 | E-commerce/marketing database | 272,000 | Direct breach |
| 2020 | Shopify rogue employee | 292,000 | Insider threat |
| 2023 | Connect Kit supply chain | $484,000 stolen | Library compromise |
| 2026 | Global-e cloud breach | Undisclosed | Third-party |
Cumulative exposure concern
| Factor | Implication |
|---|
| Multiple breaches | Same customers may be exposed repeatedly |
| Data correlation | Attackers can combine data from multiple breaches |
| Long-term targeting | Victim lists shared and resold |
| Trust erosion | Customer confidence affected |
Pattern analysis
| Incident type | Ledger’s own systems | Third-party systems |
|---|
| 2020 database | Compromised | N/A |
| 2020 Shopify | N/A | Compromised (insider) |
| 2023 Connect Kit | Supply chain | N/A |
| 2026 Global-e | Secure | Compromised |
The repeated exposure of customer data through third parties—despite Ledger’s own systems remaining secure—highlights the persistent supply chain risk in e-commerce operations.
Hardware wallet security paradox
| Reality | Implication |
|---|
| Hardware never compromised | 7+ million units sold, zero confirmed device hacks |
| Customer data repeatedly exposed | E-commerce creates persistent attack surface |
| Security vs. privacy mismatch | Strong device security, weak data protection |
Recommendations
For affected Ledger customers
| Priority | Action |
|---|
| Critical | Never share your 24-word recovery phrase with anyone |
| Critical | Assume you’re a target for sophisticated phishing |
| Critical | Verify ALL communications independently |
| High | Consider physical address privacy for future purchases |
| High | Monitor for SIM swap attempts (unusual phone behavior) |
| High | Enable carrier PIN/passcode protection |
| Medium | Review home security considerations |
| Ongoing | Watch for unusual account access or surveillance |
Verifying legitimate communications
| Legitimate | Suspicious |
|---|
| In-app notifications in Ledger Live | Emails asking for recovery phrase |
| Official website (manually typed URL) | Links in emails or SMS |
| Ledger Live app messages | Phone calls requesting verification |
| — | Physical packages you didn’t order |
| — | Requests to scan QR codes |
| — | Urgent action deadlines |
Address privacy measures
| Option | Benefit |
|---|
| PO Box | Separates crypto purchases from home address |
| Forwarding service | Additional layer of anonymity |
| Work address | Reduces home targeting risk |
| Friend/family address | (With their permission) |
| Alternate identity | Legal name alternatives where permitted |
Physical security considerations
| Measure | Purpose |
|---|
| Home security system | Deter and detect intrusion |
| Secure storage | Keep hardware wallet in safe location |
| Discretion | Don’t discuss crypto holdings publicly |
| Travel awareness | Be cautious with hardware wallet travel |
| Duress wallet | Consider decoy wallet with small balance |
Recommendations for crypto industry
| Priority | Action |
|---|
| High | Treat crypto customer data as high-value targeting info |
| High | Minimize data sharing with third parties |
| High | Audit vendor security practices annually |
| High | Implement data minimization in e-commerce |
| Medium | Consider privacy-preserving purchase options |
| Ongoing | Monitor for customer data exposure |
Context
The Ledger breaches demonstrate that hardware wallet security is only as strong as the weakest link in the purchase chain. While Ledger’s hardware and software remain uncompromised—with over 7 million units sold and zero confirmed device hacks—customers face repeated exposure through third-party vendors handling e-commerce operations.
For crypto holders, this creates a paradox: buying a hardware wallet to secure assets creates a data trail that makes you a target. Organizations selling high-value security products need to treat customer data with the same rigor they apply to the products themselves.
The immediate concern is not cryptocurrency theft (the wallets remain secure) but rather the physical safety and social engineering risks that come from attackers knowing exactly who owns crypto hardware and where they live. The fake Ledger-Trezor merger phishing campaign demonstrates how quickly criminals adapt to capitalize on breach disclosures.
Until crypto hardware manufacturers address the inherent tension between secure products and insecure purchase processes, customers must take extraordinary measures to protect their privacy during acquisition.
