Blockchain investigator ZachXBT has reported that malicious actors known as the “LastPass threat actor” have stolen approximately $5.36 million in cryptocurrencies. In a December 17th post on his Telegram Channel, ZachXBT stated that the funds were swapped for Ether (ETH) and transferred to various instant exchanges from Ethereum to Bitcoin.
The exploit traces back to a December 2022 security breach when LastPass disclosed that attackers accessed archived backups of encrypted vault data stored on a third-party cloud platform. At the time, LastPass, a popular password manager, warned that the breach exposed user vault data, including usernames, passwords, and secure notes.
However, LastPass assured users that brute-forcing master passwords would be extremely challenging due to strong encryption protocols. Despite this claim, recent attacks have shown that the hackers have targeted users who stored their private keys or seed phrases in their LastPass vaults. The Security Alliance (SEAL), a team of cybersecurity experts, reported that crypto losses connected to the breach have now exceeded $250 million as of May 2024.
SEAL stated that these attacks could have been prevented, as many victims, despite practicing caution, unknowingly placed their digital assets at risk by relying on centralized storage for private keys. The incident highlights the dangers of trusting password managers with sensitive crypto-related data.
To mitigate further losses, crypto holders must immediately safeguard their assets and reduce exposure to similar vulnerabilities.
Source
Source