- Millions of dollars worth of crypto is being stolen from wallets
- The victims are being linked to the 2022 LastPass hack
- The hack saw both encrypted and unecrypted data stolen from the password manager provider
The hacker responsible for the huge LastPass breach in 2022 has continued their rampage by using stolen data to take $5.36 million from 40 crypto wallets.
The August 2022 hack saw the attacker gain access to information that allowed them to later successfully breach a cloud-based storage environment which stored customer keys, API tokens, multi-factor authentication (MFA) seeds, and encrypted password vaults.
While the password vaults were encrypted, the master password used to open them could still be brute forced if it was weak, reused, or previously leaked, which may be the reason for a string of crypto thefts against LastPass users since 2022.
The fallout continues
The latest theft is being linked to the LastPass breach by a blockchain expert known as ZachXBT (via The Block). ZachXBT claims in a Telegram post this is just the latest in a long line of crypto thefts affecting victims of the LastPass breach, with $4.4 million being stolen in October 2023, and a further theft of $6.2 in February 2024.
“Stolen funds were swapped for ETH and transferred to various instant exchanges from Ethereum to Bitcoin,” ZachXBT wrote in their Telegram message. “Cannot stress this enough, if you believe you may have ever stored your seed phrase or keys in LastPass migrate your crypto assets immediately.”
The Verge previously reported between the time of the breach in August and December of 2022, over $35 million was stolen from 150 apparent victims of the LastPass breach.
These subsequent breaches of crypto wallets highlight the importance of using unique passwords for every single account, and ensuring that each password adheres to recommended password security standards by using one of the best password generators.
Even if you have changed your password manager provider since the LastPass breach, any compromised passwords that are still being reused are at risk, as evidenced by these crypto thefts. It is also recommended to use a strong authenticator app that uses biometric verification to secure your accounts even if an attacker knows your username and password.
Christofer Hoff, Chief Secure Technology Officer at LastPass, said, "A year has passed since initial claims surfaced alleging a link between certain cryptocurrency thefts and the 2022 LastPass security incidents. In that time, LastPass has investigated these claims and to date is not aware of any conclusive evidence that directly connects these crypto thefts to LastPass."
"Because we take any claims regarding the security of LastPass and our customers seriously, we continue to invite any security researchers who believe they may have evidence to contact the LastPass Threat Intelligence team at securitydisclosure@lastpass.com," Hoff concluded.
You might also like
- These are the best free password managers on offer today
- Cl0p ransomware group says it was behind Cleo attacks
- Take a look at our guide to the best business password managers
