Reactive statement: Trezor e-shop data leakage is a false message
May 2020 by SatoshiLabs
An unknown hacker listed supposedly leaked data of customers from the Trezor e-shop for bidding recently. Trezor got hold of the sample data and, based on the first investigation, there is no Trezor customer data included in the offered database. The whole incident seems like a scam due to the following facts:
The content and structure of the leaked data does not correspond to the data from the Trezor e-shop and looks more likely to be fabricated
Trezor has strong protocols on data protection that include anonymization of the e-shop data after a period of 90 days from the purchase. Trezor e-shop is historically and currently not running on the Shopify platform, which is being stated as a source of the leaked data
How does the Trezor anonymization protocol work?
The Trezor e-shop collects only the data needed for delivering the product. This data is shared with trusted partners for logistic purposes only. Anonymization of shipping addresses of orders after 90 days happens automatically after the order has been placed. Trezor anonymizes the data every day by overwriting data of orders older than 90 days with random data such as:
"We take data privacy very seriously at SatoshiLabs. By anonymizing the data in our e-shop after 90 days we minimize the impact of such a breach. I would like to assure our customers that their data is being treated as highly sensitive." Slush, CEO of SatoshiLabs