LastPass Breach Fallout: $5.36M Stolen in Latest Crypto Heist
In August 2022, LastPass, a prominent password manager, experienced a significant security breach that continues to impact its users. Recent reports reveal that hackers have exploited data from this breach to steal substantial cryptocurrency funds from LastPass users.
According to blockchain investigator ZachXBT, over $5.36 million has been stolen from more than 40 cryptocurrency wallets linked to the 2022 LastPass breach. These funds were converted into Ethereum (ETH) and then transferred to various exchanges, ultimately being exchanged for Bitcoin.
This incident is part of a series of cryptocurrency thefts connected to the LastPass breach. In October 2023, approximately $4.7 million was stolen, followed by an additional $6.4 million in February 2024. The cumulative losses from these attacks have now exceeded $16 million, affecting over 100 victims.
The initial breach in 2022 allowed attackers to access both encrypted and unencrypted data from LastPass’s storage. While sensitive information such as usernames and passwords was encrypted, other data, including website URLs, remained unencrypted. The security of the encrypted data largely depended on the strength of users’ master passwords.
In response to the recent thefts, LastPass’s Chief Secure Technology Officer, Christofer Hoff, responded by saying the issue isn’t related to the popular password manager.
“A year has passed since initial claims surfaced alleging a link between certain cryptocurrency thefts and the 2022 LastPass security incidents,” said Hoff. “In that time, LastPass has investigated these claims and to date is not aware of any conclusive evidence that directly connects these crypto thefts to LastPass.”
Security experts advise users who may have stored cryptocurrency seed phrases or private keys in LastPass to take immediate action. This includes migrating crypto assets to new wallets, changing all passwords, and ensuring that new passwords are strong and unique. Additionally, users should enable two-factor authentication wherever possible to enhance account security.
React to this headline: