The repercussions from the 2022 LastPass data breach continue to unfold, as a recent report cites losses of $4.4 million in crypto assets. The breach, which had initially impacted the password storage software, has now affected 25 individuals who have lost significant sums across 80 wallets.
On October 27, a post by on-chain investigator ZachXBT detailed how he, in collaboration with MetaMask developer Taylor Monahan, tracked the fund movements of these compromised wallets, all of which were infiltrated on October 25.
Most, if not all, of the victims are longtime LastPass users and/or confirm having stored their [crypto wallet] keys/seeds in LastPass.
Monahan said.
Deepening Security Concerns
In a revelation from December 2022, it was disclosed by LastPass that an intruder had utilized data previously purloined in an August breach. This malefactor targeted a LastPass employee, acquiring their credentials and decrypting the saved client data.
Further exacerbating the situation, a backup containing encrypted client vault information was also seized. LastPass cautioned users that this information could be decrypted, provided the assailant managed to guess the master password for the account correctly.
Previous Reports and Warnings
Earlier in September, cybersecurity writer Brian Krebs highlighted that some LastPass vaults appeared to have been compromised. An alarming $35 million in crypto assets was siphoned off, affecting approximately 150 users.
By the following January, LastPass found itself facing a class-action lawsuit. The suit was instigated by several claimants who asserted that the breach from August 2022 culminated in the theft of Bitcoin, equating to approximately $53,000.
In the wake of these developments, ZachXBT has issued a cautionary note on his recent post. He fervently advises all who have ever saved a wallet seed or private encryption key on LastPass to urgently “transfer your crypto assets to a safe location.”
