A security breach in the password manager application LastPass has resulted in the theft of approximately $4.4 million in crypto assets. On-chain researchers ZachXBT and Taylor Monahan, also known as Tayvano, discovered that around $4.4 million worth of crypto was stolen from 80 distinct addresses belonging to 25 victims. The breach, which compromised seed phrases, was traced back to a security incident first reported by LastPass in December 2022.
LastPass had previously acknowledged that an unauthorized party accessed a third-party cloud-based storage service used by the firm to store archived data backups. During this breach, the attacker copied customer vault data, which included website credentials, secure notes, and form-filled data. Although the data was encrypted, LastPass CEO Karim Toubba admitted that decryption was theoretically possible through brute force, albeit extremely difficult due to the firm’s hashing and encryption methods.
Earlier this year, a report by Unchained highlighted a wallet draining operation that resulted in a theft of $10 million worth of crypto between December 2022 and April 2023. Tayvano, who investigated these transactions, suggested a possible link to the LastPass breach.
The recent theft on October 25, affecting at least 25 individuals, further underscores the ongoing vulnerability. In a Twitter post, ZachXBT, along with Tayvano, revealed that most victims were long-term LastPass users who stored their crypto wallet keys or seeds in the application.
LastPass had previously warned users that encrypted customer vault data stolen during the breach could potentially be decrypted if attackers successfully guessed the master password. Following the incidents, ZachXBT has advised anyone who stored wallet seeds or private keys in LastPass to urgently migrate their crypto assets to mitigate further risks.