LastPass, a popular password manager, is facing scrutiny following the theft of $4.4 million in cryptocurrency. The assets were allegedly taken on Oct. 25 due to compromised seed phrases stored within the LastPass system.
According to blockchain investigator ZachXBT, the malicious activity was traced back to a staggering 80 unique addresses owned by over 25 individual victims.
“Just on Oct. 25, 2023 alone another ~$4.4M was drained from 25+ victims as a result of the LastPass hack,” ZachXBT posted on X, formerly Twitter. “Cannot stress this enough, if you believe you may have ever stored your seed phrase or keys in LastPass migrate your crypto assets immediately.”
This incident can be traced back to a security lapse from December 2022 when LastPass made users aware of an unauthorized entry into a third-party cloud storage service it uses. During this breach, the threat actor successfully duplicated customer vault data from the encrypted storage. This gave them access to a wealth of data, including website usernames, passwords, and even secure notes.
Karim Toubba, the CEO of LastPass, stated that while the data might have been copied, actually decrypting the copies to gain usable information would be “extremely difficult.” He attributed this to the firm’s solid encryption and hashing methods.
However, contrary to these assurances, there have been multiple alarming reports. Notably, MetaMask developer Taylor Monahan revealed a unique signature connecting the theft of over $35 million in cryptocurrency, between December 2022 and April 2023, to the same threat actors involved in the LastPass breach.
“At this point I’m also confident in saying that, in most of these cases, the compromised keys were stolen from LastPass,” Monahan posted on X. “The number of victims who only had the specific group of seeds/keys that were drained stored in LastPass is simply too much to ignore.”
In light of these incidents, security experts and researchers are urging LastPass users, especially those with accounts during the 2022 breaches, to urgently reset all their passwords and to exercise heightened vigilance.