Supply Chain Fintech / Cryptocurrency · Global · January 2026

Ledger / Global-e

Analysis of the Ledger/Global-e breach exposing crypto wallet customer data including physical addresses and order details.

Records Affected

Unknown (potentially millions)

Attack Type

Supply Chain

Location

Global

Data types exposed

Names physical addresses email addresses phone numbers order details including product types and quantities

What Happened

In January 2026, customer data from Ledger, the cryptocurrency hardware wallet manufacturer, was exposed through a breach at its e-commerce partner Global-e.
The compromised data includes names, addresses, emails, phone numbers, and order details. Order details confirm recipients own crypto hardware, making them targets for robbery or extortion. This is Ledger's second major customer data exposure after the 2020 incident.

Timeline

  • January 2026 — Ledger customer data exposed through breach at e-commerce partner Global-e
  • January 2026 — Ledger confirms the incident and begins notifying affected customers

Impact and Risk Assessment

For Individuals

Order details for cryptocurrency hardware wallets essentially confirm that recipients hold cryptocurrency, combined with their physical home addresses. This creates documented cases of physical robbery and extortion targeting crypto holders.
This is Ledger's second customer data exposure, compounding risk for customers who were also affected by the 2020 breach.

For Organisations

Ledger faces significant reputational damage from a second customer data exposure in five years, undermining trust in a company whose core product is security.
Global-e faces scrutiny over the security of its e-commerce fulfilment systems that handle data for security-sensitive products.

Regulatory Context

GDPR applies to Ledger as a French company. CCPA and other state laws apply for US customers. The recurring nature of data exposures may draw additional regulatory scrutiny.

What Should You Do?

For Individuals

  • If you have purchased a Ledger device, be aware that your physical address and purchase details may have been exposed. Exercise heightened physical security awareness.
  • Be extremely cautious of unsolicited communications claiming to be from Ledger. The company will never ask for your recovery phrase.
  • Consider using a PO box or business address for future cryptocurrency-related purchases.

For Security Professionals

  • Organisations selling security-sensitive products should apply enhanced security requirements to their e-commerce supply chain, including fulfilment partners.
  • Consider whether order data for security products should be retained by fulfilment partners after shipping is complete, applying data minimisation principles.

Learnings and Recommendations

Order details for cryptocurrency hardware wallets essentially create a target list of crypto holders with known physical addresses. This data combination creates physical safety risks.
Ledger's second customer data exposure in five years highlights persistent challenges in securing e-commerce supply chains for products that signal ownership of high-value digital assets.
This advisory summarises a publicly reported cybersecurity incident for educational purposes. Information is sourced from publicly available reports and may include claims that are unverified or disputed. Inclusion does not imply fault or negligence by the affected organisation.
Back to all advisories