In 2022, LastPass was hacked multiple times. The consequences are still visible years later. Today it turns out that 40 crypto-currency holders were robbed of $5.4 million worth of these currencies.
The identity of the attacker is unknown. Blockchain researcher ZachXBT discovered that 40 crypto wallets were exchanged for Ethereum, which was later transferred to Bitcoin via several instant transactions.
Hack from 2022
Password manager LastPass lost a lot of sensitive data in 2022 due to multiple hacks. Source code, keys from customers, API tokens and MFA seeds were the main proceeds for the attackers. Then, in October 2023, and in February this year, crypto tokens were stolen via this LastPass data. Whereas $4.7 million was taken in the first time, it was $6.4 million the second time. However, other researchers stated that the losses could be around $35 million. The amount of cryptocurrency experts now believe the stolen proceeds would represent, is unknown.
LastPass has now been separated from its former owner GoTo. The company is trying to regain the trust of users, who have more than enough alternative password managers to choose from. Failure to adhere to best practices has already hurt trust on top of the incidents, such as allowing short, easy-to-guess passwords to open up access to the app’s password vault. Now, with renewed evidence that the damage to customers from 2022 is enormous, LastPass is being reminded that past mistakes still have consequences in the present.
Customers also pursued
Those who have since abandoned LastPass are not immune from the negative consequences of the hack. After all, those among the unfortunate group whose passwords as well as cryptographic keys were stolen may have already been compromised on any account that connected to LastPass. The only way to be safe then is to have changed all passwords and set up MFA. Even then, the stolen information is valuable enough to receive convincing phishing emails that plague users again.
Christofer Hoff, Chief Secure Technology Officer at LastPass, denies that the 2022 hack has a proven connection to the incidents of cryptocurrency theft. He states the following: “A year has passed since initial claims surfaced alleging a link between certain cryptocurrency thefts and the 2022 LastPass security incidents. In that time, LastPass has investigated these claims and to date is not aware of any conclusive evidence that directly connects these crypto thefts to LastPass. Because we take any claims regarding the security of LastPass and our customers seriously, we continue to invite any security researchers who believe they may have evidence to contact the LastPass Threat Intelligence team at securitydisclosure@lastpass.com.”