Hackers have stolen $4.4 million in cryptocurrency on October 25th using private keys and passphrases stored in stolen LastPass databases, according to research by crypto fraud researchers who have been researching similar incidents.
“We regularly have people reach out via DM who have had their crypto assets stolen. We also approach victims we discover on-chain,” ZachXBT told BleepingComputer.
“We ask potential LastPass victims multiple questions and typically have found one commonality between them all being LastPass.”
According to a tweet by ZachXBT on X, the threat actors stole $4.4 million from 25+ victims due to a LastPass breach in 2022.
The LastPass breach
In 2022, LastPass suffered two breaches that ultimately allowed threat actors to steal source code, customer data, and production backups stored in cloud services that included encrypted password vaults.
At the time, LastPass CEO Karim Toubba said that while the encrypted vaults were stolen, only customers knew the master password required to decrypt them.
Therefore, if you were following password best practices recommended by LastPass, your vaults should be safe.
However, LastPass warned that for those using weaker passwords, it was advised to reset the master password.
“Depending on the length and complexity of your master password and iteration count setting, you may want to reset your master password,” reads a LastPass support bulletin about the cyberattack.
This suggestion was given because a weaker password can more easily be cracked using specialized programs that utilize a GPU to brute force easy-to-crack passwords.
According to research conducted by Monahan and ZachXBT, it is believed that the threat actors are cracking these stolen password vaults to gain access to stored cryptocurrency wallet passphrases, credentials, and private keys.
Once they gain access to this information, they can load the wallets onto their own devices and drain them of all funds.
According to a report by Brian Krebs on this research, Monahan and other researchers have generated a unique signature that links the theft of over $35 million to the same threat actors.
“At this point I’m also confident in saying that, in most of these cases, the compromised keys were stolen from LastPass,” tweeted Monahan in August.
“The number of victims who only had the specific group of seeds/keys that were drained stored in LastPass is simply too much to ignore.”
It is becoming increasingly clear that the threat actors behind the LastPass attack have successfully cracked the passwords for vaults and are using the stolen information to fuel their own attacks.
Therefore, if you are a LastPass user who had an account during the August and December 2022 breaches, it is strongly suggested that you reset all of your passwords, including your password.