Victims of LastPass Hack Suffer $4.4 Million Loss in Cryptocurrency

In today’s digital era, cybersecurity experts recommend using a password manager to efficiently handle numerous passwords for various platforms and generate strong, complex passwords. However, what if the password manager becomes vulnerable to hackers? This is precisely what occurred with LastPass, a password manager app owned by GoTo. On October 25, a group of cybercriminals targeted at least 25 LastPass users, resulting in the theft of over $4.4 million in cryptocurrency. Let’s delve deeper into the details.

LastPass Hack: What Happened

Popular password manager LastPass has become the latest target for hackers, according to blockchain analyst ZachBXT (via CoinDesk ). This is the second cyberattack on the platform in less than a year, after hackers gained unauthorized access to LastPass’s third-party cloud-based storage service, which is used to store archived backups of production data.

“On October 25th, 2023 alone, over 25 victims lost approximately $4.4 million as a result of the LastPass hack. Can’t stress this enough, if you believe you’ve ever stored your seed phrase or key in LastPass, transfer your crypto assets immediately,” ZachXBT posted on X.

According to ZachXBT and MetaMask developer Taylor Monahan, as part of this latest hack, attackers compromised more than 80 separate addresses and more than 25 victims, stealing keys and seed phrases for their cryptographic assets. Funds from blockchains such as Bitcoin, Ethereum, BNB, Arbitrum, and Solana have been transferred and are estimated to total nearly $4.4 million.

Constant thefts

Since last year’s hack, LastPass has been a victim of theft on several occasions. According to Monahan, more than 150 people are involved in these thefts, which are worth a whopping $35 million in crypto. Interestingly, none of the attacks started as a result of the victim’s phone or email being compromised.

“The victim profile is still the most striking thing. They are all reasonably safe indeed. They are also deeply integrated into this ecosystem, [including] employees of reputable crypto organizations, risk managers, people who built DeFi protocols, implement contracts and run all the nodes,” Monohan said.

The list of stolen keys is diverse: hackers steal 12- and 24-word seeds, Ethereum presale wallet jsons, wallet.dats files, private keys generated via MEWs, and more.

How to protect yourself from password breaches

1. Don’t reuse passwords – ALWAYS keep a different password for different platforms.

2. Use random combinations – Passwords that contain a combination of letters, numbers, and symbols are harder to guess and therefore less likely to be hacked.

3. Keep long passwords – Aim for a password of at least 8-12 characters as it takes longer to figure out.

4. Use 2FA/MFA Authentication – Most platforms offer extra security options like OTPs via email and phone numbers etc. Use them, you can never be too safe.

5. Use a password manager – A password manager helps you manage multiple passwords you’ve set on different platforms and can also generate complex passwords for you. In addition, it also keeps them safely away from prying eyes.