Approximately 25 cryptocurrency users using prominent password manager LastPass lost more than $4 million in digital assets on October 25, according to on-chain detective ZachXBT.
ZachXBT, working with fellow researcher Tayvano, traced the exploit back to December 2022, when LastPass confirmed a security breach.
$4.4 million stolen from LastPass customers
At the time, LastPass said hackers backed up data from its customers' vault. This included information about website usernames and passwords, secure notes, and completed form data.
Since then, malicious actors have emptied the wallets of cryptocurrency users who may have saved their seed phrases on the platform. Reports had estimated that more than $35 million had been stolen from more than 150 victims since December.
An October 27 post by Tayvano revealed that the most recent exploit affected around almost 80 cryptocurrency addresses belonging to these 25 victims. Resulting in a loss of 4.4 million dollars.
Victims of the LastPass hack. Fountain; ZachXBT
âMost, if not all, victims are long-time LastPass users and/or confirm having stored their keys/seeds on LastPass,â Tayvano said.
Security experts advise on next actions
Several crypto security experts have been advising LastPass users on how to mitigate further losses arising from the event.
Tayvano said users who have had their wallets emptied should âget in touch and SUBMIT AN IC3 RIGHT NOW IF YOU HAVE NOT ALREADY DONEâ. The IC3, short for Internet Crime Complaint Center, is a central center for reporting cybercrimes.
In a separate October 22 post on X, the security expert reminded the community that all credentials they had in LastPass at this time last year should be considered compromised.
Because of this, Tayvano urged the community to âprioritize rotating your most valuable/oldest secrets + migrate assets today.â In the meantime, ZachXBT strongly recommends that you:
âIf you think you have ever stored your seed phrase or keys in LastPass, migrate your crypto assets immediately.â
LastPass further recommended its users never reuse their master password on other websites and also minimize the risk by changing the website passwords they have stored.
