According to Cointelegraph, at least 25 people have seen $4.4 million in cryptocurrency drained from 80 wallets due to a 2022 data breach that impacted password storage software LastPass. Pseudonymous on-chain researcher ZachXBT and MetaMask developer Taylor Monahan tracked the fund movements of at least 80 wallets compromised on October 25. Most of the victims are longtime LastPass users and/or confirm having stored their crypto wallet keys/seeds in LastPass, according to Monahan in an accompanying Chainabuse report.
In December 2022, LastPass disclosed that an attacker leveraged information previously stolen in a breach that occurred in August to target a LastPass employee, obtaining their credentials and decrypting stored customer information. The attacker also stole a backup of encrypted customer vault data, which LastPass warned could be decrypted if the attacker brute force guesses the account's master password. In September, cybersecurity journalist Brian Krebs reported that some of the LastPass customer vaults had seemingly been cracked, and over $35 million worth of crypto had been stolen from around 150 victims.
In January, LastPass faced a class-action lawsuit from individuals claiming the August 2022 breach resulted in the theft of around $53,000 worth of Bitcoin. ZachXBT advised anyone who ever stored a wallet seed or private key in LastPass to migrate their crypto assets immediately.