Key Takeaways
- The breach impacted approximately 80 crypto addresses belonging to the 25 victims
- Reportedly, the hackers also managed to obtain a backup of encrypted customer vault data
Cryptocurrency enthusiasts were hit by a significant loss of more than $4 million in digital assets on October 25, linked to their use of the widely-adopted password manager, LastPass. This unfortunate incident was exposed by the on-chain investigator ZachXBT.
In collaboration with fellow researcher Tayvano, ZachXBT delved into the origins of this exploit, which can be traced back to a security breach LastPass confirmed in December 2022. During this breach, threat actors managed to access a backup of customer vault data, comprising sensitive details like website usernames, passwords, secure notes, and form-filled data.
Since this breach, it seems that malevolent actors systematically emptied the wallets of cryptocurrency users who had potentially stored their seed phrases within the LastPass platform. Alarmingly, reports suggest that the cumulative losses from this breach have now exceeded $35 million, affecting more than 150 victims.
A recent disclosure by Tayvano on October 27 shed light on the most recent exploit, which impacted approximately 80 crypto addresses, resulting in a collective loss of $4.4 million for the 25 victims involved. Notably, many of the victims were long-time users of LastPass who admitted to storing their crypto keys or seeds within the platform.
In addition to the theft of digital assets, the attackers also managed to obtain a backup of encrypted customer vault data. LastPass had previously cautioned that this data could potentially be decrypted if the attackers successfully guessed the account’s master password through brute force techniques.
The severity of this breach was also highlighted by cybersecurity journalist Brian Krebs in a September blog post. He reported that some of the LastPass customer vaults had been compromised, resulting in the loss of over $35 million in cryptocurrencies from about 150 victims.
Furthermore, LastPass faced legal action in January due to a class-action lawsuit filed by individuals who claimed that the breach in August 2022 had led to the theft of approximately $53,000 worth of Bitcoin.
In response to this ongoing breach, several cryptocurrency security experts have been offering guidance to LastPass users on how to mitigate further losses. Tayvano specifically encouraged affected users to report the incident to the Internet Crime Complaint Center (IC3), which serves as a central hub for reporting cybercrime.
In a separate post on October 22, the security expert underscored the urgency of considering all credentials stored within LastPass as compromised, emphasizing the importance of promptly rotating valuable or old secrets and transferring assets to more secure storage.
In light of the breach, ZachXBT strongly recommended that anyone who may have stored their seed phrases or keys in LastPass should immediately transfer their crypto assets to a more secure location.
LastPass, the password management service, also offered essential guidance to its users, emphasizing the critical importance of not reusing a master password across different websites and taking measures to enhance security, such as updating passwords for websites stored within the platform.
The breach that took place in December 2022 was a result of attackers leveraging previously stolen information from an August breach to target a LastPass employee. This ultimately allowed the attackers to access their credentials and decrypt stored customer data.
