LastPass Data Breach Results in $4.4 Million Crypto Loss for 25 Victims in a Single Day
Around 25 individuals have reportedly lost $4.4 million in cryptocurrency from a total of 80 wallets, all due to the 2022 data breach that affected the password storage software LastPass.
On October 27, in a Twitter post, the on-chain sleuths ZachXBT, along with MetaMask developer Taylor Monahan, reported that they’ve tracked the movement of funds from at least 80 compromised wallets that were targeted on October 25. They also mentioned that many of the victims were long-time LastPass users who had stored their cryptocurrency wallet keys or seeds on the platform.
If you suspect you were already a victim of the LastPass hack send a DM with the txn hashes of the theft.
— ZachXBT (@zachxbt) October 27, 2023
This security breach has been affecting LastPass since last year and continues to impact its users. In September, it was discovered that at least $35 million in cryptocurrency had been stolen from approximately 150 victims affected by the platform’s security breach that occurred in 2022.
LastPass, in its usual function, is a popular password manager designed to secure users’ login credentials. The attack on it involved unauthorized access to user accounts, with a focus on obtaining seed phrases and wallet keys used for cryptocurrency storage, indicating that they were primarily interested in exfiltrating cryptocurrencies.
LastPass Discloses 2022 Data Breach Exposing Customer Data and Source Code Theft
However, in a blog post in December 2022, LastPass disclosed that an attacker had used previously stolen information to target an employee, gaining access to their credentials and decrypting customer data. The attack on LastPass allowed the hacker to gain access to the corporate laptop of a software engineer on the platform, which provided them with the means to infiltrate the company’s system. In the process, they stole source code, confidential technical documentation, and internal system secrets.
Additionally, a backup of encrypted customer vault data was stolen, which could be decrypted if the attacker successfully guessed the account’s master password through brute force.
This initial breach enabled the hacker to extract 14 of LastPass’s 200 source code repositories. Subsequently, the hacker conducted a more extensive attack, leading to the acquisition of a copy of the LastPass customer database.
This database contained information such as unencrypted account details and associated metadata, including multi-factor authentication settings.
LastPass Faces Lawsuit After $32 Million Crypto Theft
LastPass’s CEO initially claimed that the hack had been contained and that the compromised data did not include personal user information. It was later reported in August 2023 that over 1200 BTC, valued at $32 million, had been stolen from wallets associated with LastPass users in the year following the security breach.
Earlier this year, several users reported losing significant amounts of cryptocurrency from wallets whose keys were stored on LastPass.
This incident resulted in the US District Court of Massachusetts filing a lawsuit against the company in January, alleging that it failed to protect user data adequately.
Also, in January, LastPass faced a class-action lawsuit from individuals who claimed that the August 2022 breach led to the theft of around $53,000 worth of Bitcoin, which was valued at $34,317 at the time.
In his recent post, ZachXBT advised anyone who had ever stored a wallet seed or private key in LastPass to transfer their cryptocurrency assets immediately.