Evaluating the Security Risks of the Recent Ledger 2.2.1 Update - Is Ledger.com No Longer Safe? The Ledger Cloud Issue

We write this with utmost urgency to alert you about an important security update concerning Ledger devices, a popular hardware wallet used to store cryptocurrencies. Ledger has recently rolled out a new update (version 2.2.1) that introduces a cloud feature, which, upon opting in, will allow your seed phrase to be stored in the cloud. While this may provide convenience for some users, it may also significantly impact the security of your cryptocurrency holdings.

Traditionally, the value proposition of Ledger and other hardware wallets has been the secure offline storage of private keys. These keys, as you know, are the essence of ownership and control of your cryptocurrency assets. By storing these keys offline, hardware wallets offer protection against online hacking attempts and other digital threats.

However, the recent update changes this fundamental security structure. If a user opts in for the cloud feature, their seed phrase will be stored online. This is a significant departure from the promise of “cold storage” that hardware wallets like Ledger are known for.

We were always an advocate for Ledger.com. We loved their devices. But a recent batch of horrible updates made the device almost unusable for managing some crypto coins. Now, a post made by our member @patrikk, casts a further shadow on the popular device.

While Ledger.com has a reputation for maintaining rigorous security protocols, the fact remains that any data stored online is potentially vulnerable. Cybersecurity experts generally agree that the more places sensitive information is stored, the more potential access points there are for hackers. This means that by storing your seed phrase in the cloud, it could potentially be exposed to a wider range of digital threats.

Further, even the most secure systems are not immune to breaches. In 2020, Ledger itself experienced a data breach where the personal data of nearly 1 million customers was leaked. Although no funds were lost in this instance, as private keys were not compromised, the incident highlights that no system is completely foolproof. In addition to this, recent TrustPilot reviews on the Ledger.com profile shows users complaining about their coins vanishing.

Given these risks, we strongly urge SWAPD members to consider the potential dangers of Ledger’s cloud feature. We understand the appeal of convenience that such a feature might provide, but this should be weighed against the potential security risks involved.

In the world of cryptocurrencies, where transactions are irreversible and there’s no central authority to mitigate fraudulent activities, the importance of personal security measures cannot be overstated. Your private keys represent your ownership of your cryptocurrency assets. Once they fall into the wrong hands, your assets could be irretrievably lost.

Please remember, the safest place for your seed phrase is offline, ideally written down and stored in a secure, physical location. If you feel the need for a backup, consider using a secondary hardware wallet or a metal backup solution. We advise against storing your seed phrase in any form that is connected to the internet, including cloud storage.

1 Like

Just look at the responses :slight_smile:

https://www.reddit.com/r/ledgerwallet/comments/13itm7u/comment/jkbyyfp/?utm_source=share&utm_medium=android_app&utm_name=androidcss&utm_term=1&utm_content=share_button

Ledger must have hired the Budlight team.

I guess our 5x Free Trezors Meme Contest giveaway is more sexy now?

2 Likes

Gonna go and win a Trezor, can’t be bothered with Ledger anymore

2 Likes

Nevermind my old post (now deleted). My mistake, fake news.

1 Like

Appreciate this.
What do you suggest now & why? @SWAPD

The biggest issue is that Ledger always said, “Even we can’t get your seed phrase even if you put a gun to our heads.” Well, with update 2.2.1, the firmware allows for seed extraction. Yes, you have to opt-in to use the cloud, but the fact that the chip is no longer secure and the update could allow anyone with the know-how to create an extracting tool. Heck, how about a rogue Ledger employee? Anywho. We’ve moved to Trezor, but the problem is USDT TRC, Trezor only supports ERC. Still trying to find a viable solution for that.

Also, this is what’s happening to on the /r/ledger subreddit right now :smiley:
https://www.reddit.com/r/ledgerwallet/comments/13kil5p/well_so_long_ledger/

Damnnn i just bought ledger nano x today :smiling_face_with_tear:

Can you opt in and opt out?

Yes. That’s not the problem, though. The problem is now firmware is able to extract your keys. Ledger was always against that, but apparently, they have changed their mind.

2 Likes

1 Like

Crazy :frowning:

What’s the alternative ?

Just don’t use their recovery service? isn’t that optional?

Yes it’s optional, but if you care about security I wouldn’t even update the firmware at all, since it provides a new backdoor

1 Like

Use any Ledger except for Nano X, or just buy a Trezor. They’re fully open source

1 Like

No, thanks. We’d rather play it safe than sorry with anything from that shady company.

I just recived ledger after almost 2 months of waiting, Should I use it now or what ? Is it safe tho

I got ledger Nano S-PLUS