On October 25, approximately 25 cryptocurrency users who relied on the popular password manager, LastPass, found themselves victims of a cyberattack resulting in the loss of over $4 million worth of digital assets. This revelation comes courtesy of blockchain investigator ZachXBT, who, in collaboration with fellow sleuth Tayvano, successfully traced the exploit back to December 2022, when LastPass officially confirmed a security breach.
During the initial breach, LastPass disclosed that the perpetrators had managed to secure a copy of their customer vault data, containing critical information such as website usernames, passwords, secure notes, and form-filled data.
Subsequently, malicious actors have systematically drained the wallets of cryptocurrency users who might have stored their essential seed phrases on the LastPass platform. Reports indicate that this breach has led to a staggering $35 million being stolen from over 150 victims since its inception in December.
As recently as October 27, Tayvano disclosed that the latest breach impacted approximately 80 cryptocurrency addresses belonging to these 25 unfortunate victims, resulting in a collective loss of $4.4 million.
Notably, many of the victims were long-term users of LastPass and had indeed stored their crucial cryptographic keys and seed phrases within the compromised platform.
In the wake of this security breach, several cryptocurrency security experts have been offering guidance to LastPass users on how to mitigate further potential losses. Tayvano strongly advised individuals whose wallets had been drained to “get in touch and FILE AN IC3 RIGHT NOW IF YOU HAVEN’T DONE SO ALREADY.” The IC3, or Internet Crime Complaint Center, serves as a central hub for reporting cybercrimes, providing an essential channel for victims to seek redress.
Additionally, in a separate post dated October 22, the security expert emphasized the importance of considering all credentials stored in LastPass a year ago as compromised. Consequently, Tayvano urged the community to prioritize the immediate rotation of their most valuable and oldest secrets, along with the migration of their assets to enhance security.
Furthermore, ZachXBT offered a strong recommendation, advising individuals who suspect that they may have ever stored their seed phrases or keys within LastPass to swiftly migrate their cryptocurrency assets to more secure platforms.
In response to this security breach, LastPass also issued its guidance, urging users never to reuse their master password on other websites and emphasizing the importance of regularly changing the passwords of the websites stored within the LastPass vault to minimize risks associated with this unfortunate incident.