In a significant cybersecurity incident, approximately 25 crypto users who relied on the popular password manager LastPass suffered substantial losses, with more than $4.4 million in digital assets stolen on October 25. This alarming breach has its roots in a LastPass security compromise confirmed in December 2022.
Exploit Traced Back to LastPass Breach:
Cybersecurity sleuth ZachXBT, in collaboration with fellow investigator Tayvano, delved into the origins of this exploit and traced it back to LastPass’s breach in December 2022. At that time, LastPass acknowledged a breach where hackers gained access to a backup of customer vault data, which contained sensitive information such as website usernames, passwords, secure notes, and form-filled data.
Ongoing Crypto Asset Drains:
Since the breach, malicious actors have systematically drained the wallets of crypto users, particularly those who may have stored their seed phrases on the LastPass platform. Reports indicate that over $35 million has been stolen from more than 150 victims since the initial breach in December 2022.
25 Victims Lose $4.4 Million:
An October 27 update from Tayvano disclosed that the most recent exploit affected approximately 80 crypto addresses belonging to 25 victims, resulting in a staggering loss of $4.4 million. Most of these victims were long-time LastPass users who had stored their keys or seed phrases within the platform.
Mitigating Further Losses:
Crypto security experts have been actively advising affected LastPass users on how to mitigate further losses. Tayvano urged victims to file a report with the Internet Crime Complaint Center (IC3) if they hadn’t already done so. The IC3 serves as a central hub for reporting cybercrimes.
Furthermore, Tayvano emphasized the urgency of rotating valuable and older credentials, as the compromise should be considered to affect all credentials stored in LastPass around the time of the breach.
ZachXBT provided a critical piece of advice, recommending immediate migration of crypto assets for anyone who believes they might have ever stored their seed phrase or keys in LastPass.
In response to the incident, LastPass has encouraged its users to never reuse their master password on other websites and to minimize risk by changing the passwords of websites stored within the platform. This security breach serves as a stark reminder of the importance of safeguarding sensitive crypto assets and being vigilant in the face of evolving cyber threats.