Just when you thought all of the fallout from the LastPass hack back in 2022 was over, hackers have now used stolen data from that incident to launch a series of attacks on users of the popular password manager.
In case you’re in need of a refresher, back in 2022, LastPass fell victim to multiple hacks in which its source code, API tokens, MFA seeds and keys were stolen from customers. With all of this valuable data in hand, hackers then launched a series of attacks in which they went after users’ crypto. Up until this point, LastPass was considered one of the best password managers and came highly recommended.
Then in October of 2023, $4.7 million in cryptocurrency was stolen and then in February of this year, an additional $6.4 million in digital currencies was drained from the accounts of LastPass users.
Now though, as reported by The Block, hackers with LastPast data have stolen yet another $5.36 million from over 40 different crypto wallet addresses of its users. This was discovered by the blockchain expert ZachXBT who claimed in a Telegram post that these new attacks are just the latest fallout from the one that took place two years ago.
In his post, ZachXBT explains that after this $5.36 million in crypto was stolen, the hackers then swapped these funds for Ethereum and proceeded to transfer them to various instant exchanges while converting them into Bitcoin.
Unfortunately with cryptocurrency, there’s really nothing at all victims can do to restore these stolen funds. This is why it’s recommended that you use a hardware wallet to store your crypto instead of a digital one or worse, keeping your crypto on an exchange where you don’t control the private keys.
In a statement to Tom's Guide, LastPass' CTO and CSO Christofer Hoff provided further insight on these crypto thefts, saying:
“A year has passed since initial claims surfaced alleging a link between certain cryptocurrency thefts and the 2022 LastPass security incidents. In that time, LastPass has investigated these claims and to date is not aware of any conclusive evidence that directly connects these crypto thefts to LastPass. Because we take any claims regarding the security of LastPass and our customers seriously, we continue to invite any security researchers who believe they may have evidence to contact the LastPass Threat Intelligence team at securitydisclosure@lastpass.com.”
How to stay safe after a major security incident
Once you find out a service you use has been hacked, you need to take action immediately if you want to avoid getting caught up in the fallout yourself. This means changing your passwords and potentially placing a credit freeze or fraud alert on your financial accounts if they could be at risk.
In the case of a password manager like LastPass though, you want to change your master password which lets you access all of the other passwords and data you have stored with the service. Your master password is protected by strong end-to-end encryption and other safeguards, but you can never be too careful.
ZachXBT also pointed out in his post that the reason so many crypto accounts were attacked using stolen LastPass data is due to the fact that some users might have relied on the service to store their seed phrases or keys. If you’re unfamiliar with crypto, these are what are used to regain access to your account — and your money — when you forget your password.
Seed phrases and keys can be tricky though since storing them online in something like one of the best cloud storage services might seem like a good idea as doing so is convenient. In reality though, this is a terrible idea and one of the best places to store your seed phrase is offline in a safe or even in a safety deposit box. That way, if your other accounts get hacked, it won’t be accessible. Another thing to keep in mind is that under no circumstance whatsoever should you ever share your seed phrase with anyone, especially online.
So let’s say you switched to Dashlane, NordPass or another password manager after 2022’s LastPass breach. Even then, if you have compromised passwords and especially if you reuse them, your accounts could still be at risk. This is why you want to break the password reuse cycle and instead, use a strong and unique password for each of your online accounts. If you have trouble coming up with passwords on your own, a password generator can help make secure ones for you and most password managers include this feature though, there are also free password generators available online.
The cybercriminals behind 2022’s LastPass hack have milked that attack for all its worth but the fact that we’re still seeing that stolen data used in new attacks today might mean that they’re not quite done yet. Only time will tell but by practicing good cyber hygiene and online habits, you should be able to stay safe. If worse comes to worst though, it might also be worth investing in one of the best identity theft protection services as they can help you recover stolen funds (and your identity) more quickly after a crisis.
