Recently, it has come to light that around 25 individuals have lost a staggering $4.4 million in cryptocurrency due to a data breach that occurred in 2022. This breach affected the password storage software LastPass, leading to the compromise of 80 wallets. The severity of this incident has been reported by on-chain sleuths ZachXBT and MetaMask developer Taylor Monahan on Twitter on October 27. They have been actively tracking the movement of funds from the compromised wallets and have discovered that many of the victims were long-time LastPass users who stored their cryptocurrency wallet keys or seeds on the platform.
This security breach has had a significant impact on LastPass and its users, with ongoing consequences since last year. In September, it was revealed that approximately $35 million in cryptocurrency had been stolen from about 150 victims affected by the platform’s security breach in 2022. LastPass, known for its role as a popular password manager, has been a favored target for unauthorized access to user accounts. Attackers have specifically aimed to obtain seed phrases and wallet keys used for cryptocurrency storage, indicating their primary interest lies in exfiltrating cryptocurrencies.
Attack on LastPass and its Aftermath
In a troubling blog post released in December 2022, LastPass disclosed that an attacker had targeted one of their employees using previously stolen information. This approach allowed the attacker to gain access to the employee’s credentials, subsequently decrypting customer data. The hack enabled them to infiltrate the company’s system, leading to a significant security breach. Not only did they steal source code, confidential technical documentation, and internal system secrets, but they also acquired a backup of encrypted customer vault data that could potentially be decrypted with the account’s master password guessed through brute force. This initial breach resulted in the extraction of 14 of LastPass’s 200 source code repositories.
Expanding their attack, the hacker managed to acquire a copy of the LastPass customer database, which contained unencrypted account details, associated metadata, and multi-factor authentication settings. Initially, LastPass’s CEO claimed that the hack had been contained, and personal user information had not been compromised. However, in August 2023, it was reported that over 1200 BTC, equivalent to $32 million, had been stolen from the wallets of LastPass users in the year following the security breach. This revelation further highlighted the severity of the breach and the impact on cryptocurrency users.
Lawsuits and Recommendations
In response to the security breach, LastPass has faced legal action and lawsuits. The US District Court of Massachusetts filed a lawsuit against the company in January, alleging insufficient protection of user data. Additionally, LastPass faced a class-action lawsuit from individuals who claimed that the August 2022 breach resulted in the theft of approximately $53,000 worth of Bitcoin, which was valued at $34,317 at the time.
ZachXBT, one of the individuals actively tracking the compromised wallets, has strongly advised anyone who has ever stored a wallet seed or private key in LastPass to transfer their cryptocurrency assets immediately. This precautionary measure aims to mitigate the risk of further losses and ensure the safety of valuable digital assets.
