Recently, news broke out in the crypto community that the popular hardware wallet manufacturer Ledger has been using a secret recovery phrase service on its products. This news led to a frenzy of reactions from the crypto community, with some users accusing the company of compromising their privacy.
Ledger, which is one of the most popular hardware wallets in the crypto space, has been accused of using a secret recovery phrase service that sends the recovery phrases of its users to a company server. According to reports, the company has been using this service since 2018, and it is designed to help users recover their lost funds.
The idea behind the secret recovery phrase service is that Ledger users who lose their recovery phrases can use the service to recover them. Instead of the user having to recall their recovery phrases, the company sends them a link to a recovery page, where they are prompted to enter their email, a photo ID, and their device’s serial number. Once the user’s identity is verified, the recovery phrase is sent to their email.
However, there’s a catch to this service. By using the secret recovery phrase service, users are effectively entrusting their recovery phrases to a third-party company, which could potentially access their private keys and steal their funds. In other words, the service is a centralization point that could compromise the security of the entire system.
Upon discovering this, some members of the crypto community expressed their concerns and called for Ledger to address the issue. Some people even went as far as to claim that the service was a backdoor that allowed the company to access users’ funds.
In response, Ledger issued a statement on its blog, stating that the company had not suffered a data breach and that all user data was safe. The company also claimed that the secret recovery phrase service was designed to save users from the hassle of remembering their recovery phrases.
However, the statement failed to quell the fears of some members of the crypto community. Some people argued that the service was a serious security risk and warned others to reconsider their use of the company’s products.
Others, however, defended the company and pointed out that the secret recovery phrase service was entirely optional and that users could choose not to use it. They argued that the service was a useful tool that could potentially help users recover their lost funds.
Moreover, some people claimed that the criticisms against Ledger were unwarranted, considering that the company was not the only hardware wallet manufacturer to offer a recovery phrase service. Other competitors, such as Trezor and BitBox, also have similar services that involve sending the recovery phrase to a third-party.
Despite the criticisms, Ledger appears determined to continue using the secret recovery phrase service. In a recent tweet, the company emphasized that the service was not mandatory and that users who preferred to remember their recovery phrases could do so.
The tweet read, “The optional use of a self-hosted Secret Recovery Phrase derivation service started in late 2018. It is used by a portion of Ledger Live Mobile and Desktop users who chose to benefit from this additional convenience without compromising the security of their funds.”
Overall, the reaction of the crypto community to Ledger’s secret recovery phrase service has been mixed. While some users have expressed their concerns about the service, others have defended the company and argued that it is a helpful tool that can aid in the recovery of lost funds.
Moving forward, it remains to be seen whether Ledger will modify its product offerings to address the concerns of the crypto community. For now, the company appears to be standing by its use of the secret recovery phrase service and is emphasizing that it is an optional feature that users can choose to use or not.
Ledger, a cryptocurrency wallet provider, recently released a new feature called Ledger Recover, which has been met with criticism from members of the crypto community. The service is designed to provide an additional layer of protection for users’ private keys in case they misplace their seed phrase. The seed phrase is divided into three encrypted fragments and sent to external entities, which can be used to reconstruct the original seed phrase once combined and decrypted.
While Ledger Recover is an optional subscription service for users, many have expressed concerns that the encrypted keys fragments are sent to three corporations, causing security risks. Mudit Gupta, the chief information security officer at Polygon Labs, called the concept a “horrendous idea” and warned against enabling the feature. He explained that the external entities holding the fragments could potentially reconstruct users’ keys, which undermines the security purpose of hardware wallets.
Binance CEO Changpeng Zhao also chimed in, stating that the service felt like a different direction from the company’s motto of “your keys never leave the device.” Crypto investor Chris Dunn expressed his disappointment with Ledger’s recent data leak, which exposed users’ personal information in 2020. He urged users to say goodbye to Ledger after putting a backdoor into seed phrases. Others similarly raised concerns that using the Recover service would give Ledger access to their private keys and undermine the whole point of self-custody.
The Ledger leak in 2020 had already dented their reputation, leading some users to take legal action against the company. The recent Recover feature has added to their woes. Established in 2014, Ledger is a prominent global player in the realm of hardware cryptocurrency wallets, having sold around 4.5 million wallets and introduced six distinct wallet models.
In April this year, Ledger launched Ledger Nano S Plus, a specialized wallet tailored to non-fungible tokens (NFTs) to deliver an improved experience for Web3 customers who frequently trade NFTs. Further, Ledger integrated clear signing technology through Ledger Live to bolster user security measures. These efforts by Ledger to deliver improved security features for its customers may be overshadowed by the recent concerns raised over the Recover feature.
Overall, the crypto community’s backlash against Ledger Recover highlights the importance of prioritizing the security of private keys. While the company’s intent to provide a safeguard for lost seed phrases is appreciated, the side effects of user data being sent externally can pose a threat. As the cryptocurrency space evolves, it is crucial for hardware providers to maintain and improve their security protocols while adhering to their commitment to self-custody.