After the major data breach in 2022, LastPass remains a target for hackers. Is it time for users to reconsider how they protect their digital assets?
Security expert ZachXBT has issued a warning about a major cryptocurrency attack, which has stolen approximately $5.36 million from over 40 wallet addresses. Notably, this attack is linked to the severe data breach of LastPass that occurred in 2022.
LastPass password management service homepage. Source: LastPass
LastPass, the popular password management service, was hacked in 2022 when attackers breached its system and stole a large amount of user data, including sensitive information such as private keys, API tokens, and MFA seeds. These pieces of information are critical, as they allow hackers to access and take control of victims' cryptocurrency wallets.
In the latest attack, hackers used the stolen data from LastPass to target over 40 victims, stealing cryptocurrency assets. After the theft, they quickly converted the stolen funds into Ethereum and then Bitcoin via instant cryptocurrency exchanges. This tactic was employed to erase traces and make tracking the stolen assets more difficult.
This incident highlights the ongoing severe consequences of the 2022 LastPass data breach. Previously, security analyst ZachXBT documented two other major cryptocurrency attacks linked to stolen LastPass data, resulting in millions of dollars in losses:
October 2023: Hackers stole $4.4 million in cryptocurrency.
February 2024: Over $6.2 million was stolen.
Combined, these three incidents connected to LastPass have resulted in losses of over $15 million for users.
In light of these developments, ZachXBT has issued a warning for LastPass users to exercise caution. Users are strongly advised to move their cryptocurrency assets to other wallets immediately if they have stored their seed phrases or private keys with LastPass.
This attack serves as a crucial lesson for users regarding the security risks associated with using online password management services. While convenient, users must be fully aware of the potential dangers and proactively adopt additional security measures to safeguard their digital assets.
The incident also raises questions about LastPass's responsibility to protect user data and assist victims following breaches. Have they done enough to prevent such attacks and support affected users?
Advice for Users:
Never store seed phrases or private keys on online password management services.
Use cold wallets (hardware wallets) to store cryptocurrencies for added security.
Always enable two-factor authentication (2FA) for all important accounts.
Regularly update software and applications to patch any security vulnerabilities.
Stay vigilant against phishing attempts, including emails and messages designed to deceive users.