Ledger Users Exposed in Global-e Breach; Physical Security Fears Resurface
Global-e data breach exposes Ledger customer postal addresses and phone numbers, reigniting fears of targeted physical attacks one year after co-founder’s kidnapping.
The Leak: Postal Addresses and Phone Numbers
Ledger customers are facing a new wave of privacy exposure after Global-e, the hardware wallet manufacturer’s third-party e-commerce partner, confirmed unauthorized access to its order processing systems. The breach, disclosed in emails sent January 5 from [email protected], exposed names, email addresses, phone numbers, and postal addresses of customers who purchased devices through Ledger’s official site.
Global-e (GLBE) acts as the merchant of record for Ledger’s international sales. While the company stated that financial data and Ledger Live secrets remain secure, the exposure of physical addresses is the primary vector for “wrench attacks,” violent in-person extortion attempts.
Institutional Context: The Physical Threat Vector
This breach strikes a nerve in a community already on edge. The exposure of residential data is not merely a digital nuisance; it is a physical safety hazard. In January 2025, Ledger co-founder David Balland was the target of a brutal home invasion in France, where attackers severed a finger to extort access to crypto assets.
Security researchers warn that this fresh dataset provides criminals with the two necessary components for targeted kidnapping: knowledge of asset ownership (a Ledger purchase) and a physical location.
The Numbers & Reaction
Global-e stock (GLBE) traded flat at $38.07 following the news, reflecting the market’s indifference to retail privacy violations versus financial loss. Ledger emphasized the firewall between their hardware security and Global-e’s logistics data:
Global-e does not have access to your 24 words, blockchain balance, or any secrets related to digital assets.
However, the separation of digital keys from physical identity data does not mitigate the risk of coercion. Phishing campaigns utilizing the stolen phone numbers and emails have already been reported, with attackers likely to impersonate Ledger support to extract recovery phrases.
Outlook
Users who purchased directly from Ledger should treat all incoming communication as hostile. The dataset is likely already circulating in private exploit channels. Unlike a password reset, a compromised home address cannot be changed.
