2023-10-23 update

It seems it was a human error at Baanx. The data leak probably hasn’t occurred.

2023-07-05 update

I got an official response from CL Card support on Reddit. I also spoke to a person from Baanx. It seems that Anrk is Baanx’s partner. They're conducting an internal investigation. They say there was no data breach. I'm still not 100% clear why I got this email message. I will update this post when more data becomes available.

Here comes the original text

Do you remember how 1 million records leaked from Ledger?

Today I received this funny-looking email message:

Seems similar to Ankr. But if you check it closely you will notice a typo.

Recipient address

“Oh, just another scam attempt” - I thought1. However, when I checked the recipient address of this message, I found this address looks similar to the one, I use exclusively for my Ledger CL card.

By exclusively I mean, I don’t provide this address in any other place. Every time I register somewhere, I use a different, unique email address. This is my method of localizing sources of data leaks (if it was my data that leaked).

However, in this particular case, I used the same email address twice. I used it to contact CL Card support regarding the issues with my card. After closer inspection, I found that I made a typo in my email address when contacting CL Card support. To sum things up, I used:

• address #1 as a login for the CL Card system,

• address #2 for contacting CL Card support2.

The scam message was delivered to email address #2.

Source of the leak

So it seems, my address leaked from the support department and not the CL card system itself. That’s a big relief!

But still, the data we have now leads to many questions. Here are some of them:

• When the leak happened?

• How many other addresses leaked?

• Apart from email addresses, what other data leaked?

• Was it a corrupt or careless employee?

• Was it a CRM database leak?

• Is CRM self-hosted by Ledger or outsourced? Maybe they outsource support entirely?

• Was CRM data transferred into another system (for example for marketing purposes), and the leak happened there?

I can answer the first question. I sent the first message using address #2 on 8th December 2022. So it seems the leak happened between 2022-12-08 and 2023-07-04.

Also, I know Have I Been Pwned doesn’t report my email as leaked. I checked the same day I wrote this post.

I don’t know other answers. But I wonder how many people noticed this too. If you were affected, please leave a comment below.

Leave a comment

My data leaked - what now?

Unfortunately, if your data leaks, you can’t leak it back. It helps if you provide disposable addresses, but your main address will leak someday too. As always you need to be careful with incoming mail.

That’s it

Thank you for reading this short post.

For interested parties, I pasted the headers of the message and the first part of the text below. I obfuscated my email address and some other data which may potentially lead to revealing private information.

Delivered-To: address-2@obfuscated.com
Received: by 2002:ab3:1c15:0:b0:238:9402:e3c6 with SMTP id u21csp4866874lth;
        Tue, 4 Jul 2023 03:00:09 -0700 (PDT)
X-Google-Smtp-Source: APBJJlGIpdLNd8AIX7qcHMNUTlkl5SwX0AIeWFPH3NbG0NmWonNOfJbO6NP308UQD2NXNBzLQOO5
X-Received: by 2002:a17:902:d501:b0:1b8:3936:7b64 with SMTP id b1-20020a170902d50100b001b839367b64mr20459348plg.1.1688464809144;
        Tue, 04 Jul 2023 03:00:09 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1688464809; cv=none;
        d=google.com; s=arc-20160816;
        b=vppot55BTC0Nh7GIdbYXbKkW+isDHpv7D0N4QQeYwg6qUShM6SncDiiDxRpZGylRNB
         vYll7SyfV7nMe1RkojIwcsGocbl6o8FGgQVgj/sMqZ7bIJNWu0wx+mkQRYOZ5VD/j5pC
         eHPFaD4AadeMlQTtWBrqeZx6lRovpHPBrXJnFQ7BriNOfbINnuxgQgHuAnt9vP8As/Rm
         oij0SvOVoOsXW0wRWOFiWebZ+jmGRUMNWRmkLSsAGnSSAcC7x3+VStBjpg9KMDH37iLr
         WL5MJ7IvbnzmooomKMDeVwrUEKUFVEULpELb7LCF9lM6qAas9bz4XNn8rtgQ0doIfuxh
         mH8A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=feedback-id:from:list-unsubscribe:subject:reply-to:mime-version
         :date:message-id:to:dkim-signature;
        bh=8yLsdori4r6GtMEEET+tAfTrVGhEDhyYgbLw94d8CEQ=;
        fh=tDNHxWpIqxviIVEMkK8CTTH5nJteJnWyRzljgxDe6kw=;
        b=Oh3dOJKFdCq5hF0TPRn4pTSwnLdpqhkQbu8ePsrpsa2942ygYm8oqKn8vo1FTIHAqC
         OGWcB6odmBIZxTnE2UktQ13Cxhn7sIWvoxJh4OpGDiF2VmQrvYXvyjrJvAb/xQnVNxYj
         b8YZIK4Q9JTKIhLllhAA2P0Tvo9jY9maEBpz4bs/oq1lFenOrDcuVFwKsJM0AFVtNsBC
         7zjsqMzyPEnVwAeTG1XDr7SgQeq84TESIG/M5j5icR2s40qktBUGIjYnkpCnH5XtW84C
         68W4+/h6Ph2g3gD+t2ze/Fbeg7jdVJfyczvXSUR4/P5YvB4dxeJPvvbq/vZsqPYFnYx6
         qKeg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@anrkprotocol.com header.s=scph0623 header.b=qQ7u47oI;
       spf=pass (google.com: domain of msprvs1=1954918sqetfe=bounces-280172@sparkpostmail.com designates 192.174.87.92 as permitted sender) smtp.mailfrom="msprvs1=1954918SQEtfE=bounces-280172@sparkpostmail.com"
Return-Path: <msprvs1=1954918SQEtfE=bounces-280172@sparkpostmail.com>
Received: from mta-174-87-92.smtp-out.sparkpostmail.com (mta-174-87-92.smtp-out.sparkpostmail.com. [192.174.87.92])
        by mx.google.com with ESMTPS id kb14-20020a170903338e00b001b6ae9f8bb1si12371885plb.75.2023.07.04.03.00.08
        for <address-2@obfuscated.com>
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Tue, 04 Jul 2023 03:00:09 -0700 (PDT)
Received-SPF: pass (google.com: domain of msprvs1=1954918sqetfe=bounces-280172@sparkpostmail.com designates 192.174.87.92 as permitted sender) client-ip=192.174.87.92;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@anrkprotocol.com header.s=scph0623 header.b=qQ7u47oI;
       spf=pass (google.com: domain of msprvs1=1954918sqetfe=bounces-280172@sparkpostmail.com designates 192.174.87.92 as permitted sender) smtp.mailfrom="msprvs1=1954918SQEtfE=bounces-280172@sparkpostmail.com"
X-MSFBL: OWV7igvEEXPJb+7ZJrrlYsThoPLaO1ot/hRxyPVy+gU=|eyJtZXNzYWdlX2lkIjo iNjQ5Y2E1ZWRhMzY0YTExMDVjOWQiLCJzdWJhY2NvdW50X2lkIjoiMCIsImN1c3R vbWVyX2lkIjoiMjgwMTcyIiwidGVuYW50X2lkIjoic3BjIiwiciI6ImNsLWNhcmR zLmNvbS4xMi4xMi4yMDIxLnN5c3RlbUBjcnlwdG9uaXgub3JnIn0=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=anrkprotocol.com; s=scph0623; t=1688464805; i=@anrkprotocol.com; bh=8yLsdori4r6GtMEEET+tAfTrVGhEDhyYgbLw94d8CEQ=; h=To:Message-ID:Date:Content-Type:Subject:List-Unsubscribe:From:
	 From:To:Cc:Subject; b=obfuscated
To: address-2@obfuscated.com
Message-ID: <obfuscated@jp.mta1vrest.cc.prd.sparkpost>
Date: Tue, 04 Jul 2023 10:00:05 +0000
Content-Type: multipart/alternative; boundary="_----MvvyzH+M+eka7ub4N8/3Kw===_61/D9-38980-5ADE3A46"
MIME-Version: 1.0
Reply-To: anrk@anrkprotocol.com
Subject: On-chain card spending, self-custody and beyond! 🚀
X-Campaign-ID: 7184983
List-Unsubscribe: <https://links.iterable.com/e/encryptedUnsubscribe?obfuscated>,<mailto:unsubscribe+obfuscated@unsubscribe.iterable.com>
From: anrkprotocol <anrk@anrkprotocol.com>
X-Message-ID: obfuscated
X-Feedback-ID: obfuscated:iterable
Feedback-ID: obfuscated:iterable

--_----MvvyzH+M+eka7ub4N8/3Kw===_61/D9-38980-5ADE3A46
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="UTF-8"

Connect to your Web3 wallet to an open source wallet network



 <https://anrkprotocol.com/on-chain-transactions/>=E2=80=8A

Connect Your Metamask, Ledger, Phamtom or Web3 Wallet To The X Card And Spe=
nd=20
On-Chain!


We are building anrkprotocol - an open-source wallet network that allows yo=
u=20
to connect your Web3 wallet to our Mastercard, enabling on-chain spending a=
nd=20
giving you complete custody over your assets. With anrkprotocol you keep=20
control of your funds at all times and you eliminate the need for trust in=
=20
custodians or financial institutions. Join Waitlist!=20
<https://anrkprotocol.com/on-chain-transactions/>=20