LastPass, a popular password manager software, is again at the center of controversy. A hacker stole millions of dollars worth of crypto assets from users’ wallets last week. The victims stored their seed phrases on the said application before the compromise happened.
Blockchain watchdogs ZachXBT and Tayvano tracked the hackers’ movements on October 25. Approximately $4.4 million worth of cryptocurrency was stolen from 80 separate addresses, belonging to about 25 separate victims.
“Most, if not all, of the victims are longtime LastPass users and/or confirm having stored their keys/seeds in LastPass,” wrote Tayvano in a report.
LastPass was compromised before
The case involves a security breach first identified in December 2022. LastPass notified users that an unauthorized party had accessed a third-party cloud storage service. The company stores backup copies of archived data in the said cloud storage.
At the time, LastPass said the attacker was able to copy a customer’s vault data from encrypted storage. Which includes accessing the site’s usernames and passwords, securing data notes, and filling out forms.
Although the data was compromised, LastPass CEO Karim Toubba noted that the threat action would need to use brute force to guess master passwords and decrypt copies. Toubba estimated that this would be an “extremely difficult” process for threat actors. He explained the hashing and encryption methods the firm uses to protect its customers.
