Experts link LastPass security breach to a string of crypto heists

Share via:

One researcher claims the number of victims who stored their crypto keys on LastPass was “simply too much to ignore.” | Illustration: Beatrice Sala

Security experts are claiming that some of the LastPass password vaults stolen during a security breach near the end of 2022 have now been cracked open following a string of six-figure cryptocurrency heists. Cybersecurity blogger Brian Krebs reports that several researchers have identified a “highly reliable set of clues” that seemingly connect over 150 victims of crypto theft with the LastPass service. Collectively, over $35 million in crypto has reportedly been stolen so far, with between two to five high-value heists occurring each month since December 2022.

Taylor Monahan, lead product manager at crypto wallet company MetaMask and one of the key researchers investigating the attacks, concluded that the common thread connecting the victims was that they’d previously used LastPass to store their “seed phrase” — a private digital key that’s required to access cryptocurrency investments. These keys are often stored on encrypted services like password managers to prevent bad actors from gaining access to crypto wallets. The stolen funds were also moved to the same blockchain addresses, further linking the victims.

At this point I’m also confident in saying that, in most of these cases, the compromised keys were stolen from @LastPass

The number of victims who only had the specific group of seeds/keys that were drained stored in LastPass is simply too much to ignore.

— Tay (@tayvano_) August 28, 2023

Password management service LastPass suffered two known security breaches in August and November last year, with hackers using information obtained during the first breach to access shared cloud storage containing customer encryption keys for vault backups during the latter incident. We have reached out to LastPass to confirm if any of the stolen password vaults have been cracked and will update this story if we hear back.

In a statement to The Verge, LastPass CEO Karim Toubba says that the security breach last November remains “the subject of an ongoing investigation by law enforcement and is also the subject of pending litigation.” The company did not say whether the 2022 LastPass breaches have anything to do with the reported crypto thefts.

Researcher Nick Bax, director of analytics at crypto wallet recovery company Unciphered, also reviewed the theft data and agreed with Monahan’s conclusions in an interview with KrebsOnSecurity:

“I’m confident enough that this is a real problem that I’ve been urging my friends and family who use LastPass to change all of their passwords and migrate any crypto that may have been exposed, despite knowing full well how tedious that is.”

Disclaimer

We strive to uphold the highest ethical standards in all of our reporting and coverage. We StartupNews.fyi want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.

admin
admin
Hi! This is Admin.

Popular

More Like this

Experts link LastPass security breach to a string of crypto heists

One researcher claims the number of victims who stored their crypto keys on LastPass was “simply too much to ignore.” | Illustration: Beatrice Sala

Security experts are claiming that some of the LastPass password vaults stolen during a security breach near the end of 2022 have now been cracked open following a string of six-figure cryptocurrency heists. Cybersecurity blogger Brian Krebs reports that several researchers have identified a “highly reliable set of clues” that seemingly connect over 150 victims of crypto theft with the LastPass service. Collectively, over $35 million in crypto has reportedly been stolen so far, with between two to five high-value heists occurring each month since December 2022.

Taylor Monahan, lead product manager at crypto wallet company MetaMask and one of the key researchers investigating the attacks, concluded that the common thread connecting the victims was that they’d previously used LastPass to store their “seed phrase” — a private digital key that’s required to access cryptocurrency investments. These keys are often stored on encrypted services like password managers to prevent bad actors from gaining access to crypto wallets. The stolen funds were also moved to the same blockchain addresses, further linking the victims.

At this point I’m also confident in saying that, in most of these cases, the compromised keys were stolen from @LastPass

The number of victims who only had the specific group of seeds/keys that were drained stored in LastPass is simply too much to ignore.

— Tay (@tayvano_) August 28, 2023

Password management service LastPass suffered two known security breaches in August and November last year, with hackers using information obtained during the first breach to access shared cloud storage containing customer encryption keys for vault backups during the latter incident. We have reached out to LastPass to confirm if any of the stolen password vaults have been cracked and will update this story if we hear back.

In a statement to The Verge, LastPass CEO Karim Toubba says that the security breach last November remains “the subject of an ongoing investigation by law enforcement and is also the subject of pending litigation.” The company did not say whether the 2022 LastPass breaches have anything to do with the reported crypto thefts.

Researcher Nick Bax, director of analytics at crypto wallet recovery company Unciphered, also reviewed the theft data and agreed with Monahan’s conclusions in an interview with KrebsOnSecurity:

“I’m confident enough that this is a real problem that I’ve been urging my friends and family who use LastPass to change all of their passwords and migrate any crypto that may have been exposed, despite knowing full well how tedious that is.”

Disclaimer

We strive to uphold the highest ethical standards in all of our reporting and coverage. We StartupNews.fyi want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.

Website Upgradation is going on for any glitch kindly connect at office@startupnews.fyi

admin
admin
Hi! This is Admin.

More like this

Apple will likely be updating every Mac with M4,...

Seemingly, for the first time in forever, Apple...

A new iOS 18 security feature makes it harder...

There is an apparently new iOS 18 security...

Popular

Upcoming Events

Startup Information that matters. Get in your inbox Daily!