As CoinDesk reported Monday (Jan. 5), an email sent to customers by Global-e—Ledger’s third-party payments service—and later shared on X said the breach of the company’s cloud system involved unauthorized access to Ledger users’ personal details such as names and contact information.
The report noted that this breach follows one from 2020, which exposed information of 270,000 Ledger customers through eCommerce partner Shopify. Three years later, Ledger was hacked for almost $500,000, affecting numerous decentralized finance applications, the report added.
In an email to CoinDesk, Ledger stressed that the breach occurred at Global-e, adding that the payment processor issued the email notification to customers because it is the data controller.
“Ledger was made aware of an incident at Global-e, an e-commerce partner for global brands and retailers, including Ledger,” the company told CoinDesk. “This incident consisted of unauthorized access to order data in Global-e information systems. Some of the data accessed as part of this incident pertained to customers who made a purchase on Ledger.com using Global-e as a Merchant of Record.”
“This was not a breach of Ledger’s platform, hardware or software systems, which remain secure,” the company added. “For the avoidance of doubt, as the Ledger product is self-custodial, Global-e does not have access to your 24 words, blockchain balance, or any secrets related to digital assets.”
The breach marks the continuation of a cybersecurity trend from last year: bad actors using third-party vendors to gain access to their actual targets.
Research by PYMNTS Intelligence, published in the August edition of the 2025 Certainty Project report, “Vendors and Vulnerabilities: The Cyberattack Squeeze on Mid-Market Firms,” found that attackers will often compromise a vendor first, then use the trust relationship to infiltrate their target company.
The research found that 38% of invoice fraud cases and 43% of phishing attacks stemmed from compromised vendors.
Last year saw several high-profile incidents along these lines, with companies including Google, Cisco and Workday seeing thefts of customer data kept on Salesforce’s cloud.
“In 2021, there were 400 data breach lawsuits filed,” Philip Yannella co-chair of the privacy, security and data protection practice at Blank Rome, told PYMNTS in an interview. “Last year, there were over 2,000. … Data breaches are always the biggest danger.”
