Photo by Tada Images/Shutterstock.com

Hackers executed a heist of $4.4 million in cryptocurrency on October 25th, leveraging private keys and passphrases stored within pilfered LastPass databases.

Cybersecurity and cryptocurrency experts ZachXBT and Taylor Monahan, a developer of MetaMask, have been tracking these incidents closely.

A tweet by ZachXBT indicated that the malicious actors responsible absconded with $4.4 million from over 25 victims due to a LastPass breach in 2022.

The LastPass breach in 2022 encompassed two security breaches that facilitated the theft of source code, customer data, and production backups, including encrypted password vaults stored in cloud services. LastPass CEO Karim Toubba stated that the encrypted vaults had been stolen but emphasised that only customers held the master password essential for decryption. Hence, vaults following LastPass’s password best practices were deemed secure.

However, LastPass advised users with weaker passwords to reset their master passwords, particularly due to the potential of brute force attacks facilitated by GPUs for easier-to-crack passwords.

Just on October 25, 2023 alone another ~$4.4M was drained from 25+ victims as a result of the LastPass hack.

Cannot stress this enough, if you believe you may have ever stored your seed phrase or keys in LastPass migrate your crypto assets immediately. pic.twitter.com/26HsxrlnCb
— ZachXBT (@zachxbt) October 27, 2023

Monahan and ZachXBT suggested that cybercriminals are exploiting these stolen password vaults to gain access to stored cryptocurrency wallet passphrases, credentials, and private keys. Once these details are compromised, the hackers have been loading the wallets onto their devices and siphoning off all the funds.

Another security researcher, Brian Krebs, reported that Monahan and her fellow researchers have identified a distinct signature linking the theft of over $35 million to these same threat actors. Monahan underscored her confidence in attributing these thefts to LastPass breaches, stating that the victims exclusively storing their keys in LastPass were too numerous to overlook.

The perpetrators behind the LastPass attack have managed to crack vault passwords, utilising this stolen information for their illicit activities. The researchers have advised users with LastPass accounts during the August and December 2022 breaches to reset all their passwords to safeguard against the looming threat of crypto asset theft.

In August 2022, LastPass was breached, leaking the source code. In December 2022, there was yet another breach where the attacker could gain access to customer data using credentials stolen in the August 2022 breach.

In the News: Microsoft initiates crackdown on “unauthorised” Xbox controllers