LastPass exploits that resulted in victims losing millions of dollars in cryptocurrencies. On October 25, 2023, approximately 25 victims lost $4.4 million as a result of the LastPass hack. It is not clear what specific exploit was used in this case; however, researchers have traced it back to a security breach.
It is also unclear whether LastPass has issued official statements regarding the exploit or taken action to address the issue. However, victims of the hack have been advised to send a direct message with the transaction hashes of the theft if they suspect that they have been affected. As of October 30, 2023, the total amount lost due to the LastPass breach was estimated at $44 million.
What happened
In December 2022, LastPass reported that an attacker had used information previously stolen in an August hack to target a LastPass employee. The hacker intercepted his credentials and decrypted the stored customer information.
A backup of encrypted customer data was also stolen, which LastPass warned could be decrypted if the attacker brute-force guessed the account master password.
In a blog post in September, cybersecurity journalist Brian Krebs reported that some of LastPass’s customer vaults appeared to have been compromised, with more than $35 million worth of cryptocurrency stolen from around 150 victims.
In January, LastPass was hit with a class action lawsuit from individuals claiming that the August 2022 hack resulted in the theft of Bitcoin worth approximately $53,000 worth of bitcoin (BTC).
In his latest post, X ZachXBT advised anyone who has ever stored an initial wallet value or private key in LastPass to "move your crypto assets immediately".
"I can't stress this enough: if you think you've ever stored your initial phrase or keys in LastPass, move your crypto assets immediately," ZachXBT (@zachxbt) advised on October 27, 2023.
Summary
The LastPass hack allowed unauthorized access to user accounts, resulting in large cryptocurrency losses for owners who stored wallet keys and seed phrases in the app.
The hackers specifically targeted the initial phrases and keys, stating that their primary goal was to steal cryptocurrencies.
Furthermore, there are disturbing similarities in the profiles of the victims this year.