LastPass stolen seed phrases used to steal $4.4 Million in crypto
Take action: Any encryption will be broken given sufficient monetary motivation. If you were using LastPass in 2022 and are storing your crypto wallet keys or seed keys in LastPass, move your crypto to a new wallet.
Learn More
LastPass, a widely-used password management tool, comes back under scrutiny for their December 2022 breach of customer vaults. During that breach, the malicious actor managed to duplicate encrypted data from users' vaults, which included website credentials, secure memos, and auto-fill data.
Now seed phrases extracted from LastPass vaults during the December 2022 incident were used to steal millions in cryptocurrency assets.
Crypto assets worth approximately $4.4 million were illicitly siphoned from 80 unique addresses, impacting over 25 individual victims. Crypto researchers urge users who might have stored their seed phrases or keys in LastPass to urgently transfer their cryptocurrency assets.
The majority, if not all, of the impacted parties were longstanding LastPass patrons. Many of them acknowledged keeping their cryptographic keys or seed phrases within the LastPass system.
During the December 2022 incident LastPass's CEO, Karim Toubba, reassured users that hackers would need to employ brute force methods to deduce master passwords and decode the copied data. Given the advanced encryption and hashing techniques LastPass employs, Toubba believed that breaking into the system would pose a significant challenge for cybercriminals.
Apparently, hackers managed to break in some of the vaults. In another similar incident a large-scale crime operation resulted in a loss of $10 million in crypto assets between December 2022 and April 2023. That incident was also most likely caused by data extracted from stolen LastPass vaults.
