LastPass users have fallen victim to a series of cyberattacks, resulting in millions of dollars worth of cryptocurrency stolen. The attacks have been linked to a 2022 security breach involving the popular password manager. In 2022, LastPass suffered multiple hacks where malefactors obtained source code, API tokens, MFA seeds, and keys from customers.
These pieces of valuable data were subsequently used to target users’ cryptocurrency holdings. Initially, in October 2023, $4.7 million in cryptocurrency was stolen, followed by an additional $6.4 million in early 2024. The latest reports indicate that hackers have siphoned another $5.36 million from over 40 crypto wallets of LastPass users.
Blockchain expert ZachXBT identified these recent attacks, explaining in a Telegram post that the stolen funds were converted into Ethereum and subsequently transferred to various instant exchanges before being turned into Bitcoin. Unfortunately, due to the nature of cryptocurrency transactions, recovering these funds is nearly impossible.
LastPass hackers target crypto wallets
LastPass’ CTO and CSO, Christofer Hoff, stated, “A year has passed since initial claims surfaced alleging a link between certain cryptocurrency thefts and the 2022 LastPass security incidents. In that time, LastPass has investigated these claims and to date, is not aware of any conclusive evidence that directly connects these crypto thefts to LastPass.” He emphasized the company’s commitment to security by inviting security researchers to contact the LastPass Threat Intelligence team. Experts suggest the following measures to protect against such attacks:
Change passwords immediately after discovering a service you use has been hacked.
Consider placing a credit freeze or fraud alert on your financial accounts. Change your master password if you use a password manager. Use hardware wallets instead of digital ones for storing cryptocurrency.
Store seed phrases offline in a safe location. The series of cyberattacks on LastPass users serves as a stark reminder of the potential long-term fallout from data breaches. Practicing good cyber hygiene, such as using unique passwords and securing critical information offline, can help mitigate risks.
