LastPass breach continues to haunt users as hackers steal $12 million in cryptocurrency
The 2022 data breach at password manager LastPass continues to have severe repercussions for users, with hackers recently stealing $12.38 million in cryptocurrency using information compromised in the original incident.
According to crypto investigator ZachXBT, the thefts occurred on December 16 and 17, with attackers draining funds from nearly 150 individual victim addresses. ZachXBT's analysis revealed that the stolen funds were quickly converted into Ethereum (ETH) and then transferred to various instant exchanges for conversion into Bitcoin, effectively laundering the stolen assets.
This latest incident follows a similar attack in October 2023, where approximately $4.4 million was stolen from over 25 LastPass users, further demonstrating the lasting impact of the 2022 breach.
ZachXBT issued an urgent warning to users who may have stored seed phrases or keys within LastPass, urging them to immediately migrate their crypto assets to secure them.
Jamie Moles, senior technical manager at ExtraHop, highlighted the increasingly common "long-tail effects" of cyber breaches, suggesting that the full extent of the LastPass fallout may not yet be fully understood. "This is just the most recent in an ongoing stream of crypto thefts affecting victims of the LastPass breach. With this new information coming to light two years on, we can assume we still don’t understand the full extent of the damage,” Moles explained. He emphasized the importance of robust cybersecurity practices, noting that relying solely on signatures and rules to detect known attack vectors is no longer sufficient.
A recap of the 2022 LastPass breach
The initial breach, believed to have begun in August 2022, involved hackers accessing LastPass's development environment through a compromised developer account. This access allowed them to steal API tokens, MFA seeds, customer keys, and source code.
Initially, LastPass stated that no customer password information was compromised. However, in November 2022, they revealed that hackers had used information stolen in the first attack to access a third-party cloud storage service.
By December 2022, LastPass confirmed that customer account information and backups of customer vault data had been accessed. The compromised data included unencrypted data, such as website URLs, and fully encrypted sensitive information, including website usernames, passwords, secure notes, and form-filled data.
Finally, in March 2023, LastPass disclosed that the attackers had gained access to a senior DevOps engineer's personal device, reportedly by exploiting a vulnerability in Plex Media software. The hackers were believed to be searching for decryption keys to access the stolen customer vaults.
The ensuing crypto thefts in 2022 and the new exploits last week strongly suggest that the attackers were successful in their efforts to obtain decryption keys, enabling them to access and exploit user data long after the initial breach.
As investigations continue, the LastPass incident is a cautionary tale for users and businesses alike on the importance of continuous proactive response. Evidently, the effects of an attack don’t end once the attack has been discovered and stopped.