Cryptocurrency totaling $4.4 million was stolen from 25 individuals on October 25, 2023, who all had one thing in common – They were users of the LastPass password manager.
LastPass suffered two data breaches in 2022, in which the hackers obtained source code and customer data. Password vaults were stolen that contained encrypted and plaintext information of more than 25 million users. At the time, LastPass CEO, Karim Toubba, issued a statement confirming that only encrypted vaults were stolen and that the master passwords for accessing the vaults were only known to its customers. He said users that followed password best practices should not be at risk, but advised any user that had a weak password set to change their master password.
Encrypted vaults are safe as long as the master password is not known, but hackers can attempt to access encrypted vaults by brute forcing passwords. That process requires readily accessible software, which, combined with reasonably powerful GPUs, allows vast numbers of passwords to be attempted until the correct one is guessed. Once the password is obtained, all information in the vaults can be accessed, including stored passwords, the most valuable of which are stored cryptocurrency wallet passphrases, credentials, and private keys. There is growing evidence that the threat actor behind the hack has been busy cracking passwords over the past few months.
Back in September, Brian Krebs reported that more than $35 million in cryptocurrency had been stolen from around 150 people, all of whom were LastPass users. Now blockchain analyst, ZachXBT, and MetaMast developer, Taylor Monahan, say they have tracked 80 addresses belonging to 25 users who had funds stolen from the Bitcoin, Ethereum, BNB, Polygon, and Solana blockchains on October 25. Those individuals had stored their seed phrases or keys in LastPass and on one day alone lost $4.4 million.
Zachxbt issued a warning to all individuals who used LastPass at the time of the breach or had ever stored their seed phrase or keys in LastPass to migrate their crypt assets immediately, and if anyone has been the victim of cryptocurrency theft, to share the transaction hashes. While cryptocurrency wallets are potentially at risk, all LastPass users should consider changing their master password if they have not done so since December 2022, and they should follow password best practices when setting a new master password. That means using a passphrase of at least 12 characters, including upper and lower case letters, numbers, and symbols. The longer the passphrase the better.