Cryptocurrency hardware wallet manufacturer Ledger confirmed on January 5, 2026, that customer order data was exposed following unauthorized access inside Global-e, an e-commerce partner the company uses for processing some Ledger.com purchases, raising fresh concerns about supply chain security in the cryptocurrency ecosystem.
The breach at Global-e, a third-party platform handling cross-border e-commerce transactions, potentially exposed customer names, shipping addresses, email addresses, phone numbers, and order details for Ledger hardware wallet purchases processed through the partners systems during specific time periods.
Crucially, Ledger emphasized that the exposed data did not include customers cryptocurrency private keys, wallet seed phrases, financial account information, or passwords—the critical security elements that would enable theft of digital assets. Ledger devices store private keys internally using secure chip technology that is not connected to company servers or partner systems.
However, security experts warn that even seemingly innocuous purchase data poses risks for cryptocurrency holders. Individuals known to own hardware wallets become targets for sophisticated phishing attacks, social engineering schemes, and even physical security threats. Criminals may impersonate Ledger customer support or create fake security alert messages to trick victims into revealing sensitive information.
This incident marks another chapter in Ledgers troubled history with customer data security. A previous breach in 2020 exposed personal information of approximately 270,000 customers, leading to a sustained campaign of targeted phishing attacks that continues years later. That incident taught the cryptocurrency community harsh lessons about operational security and the value of customer data to malicious actors.
Ledger stated it is working with Global-e to investigate the extent of the breach, identify affected customers, and implement additional security controls. The company reiterated standing advice that Ledger will never ask customers to provide seed phrases, passwords, or private keys through email, phone calls, or direct messages.