The LastPass data breach incident that occurred last year resulted in dozens of victims having cryptocurrency stolen, new research shows.
Cryptocurrency analyst ZachXBT (Twitter alias) and MetaMask developer Taylor Monahan, who have been monitoring the attacks, believe the attackers managed to steal $4.4 million from more than twenty victims:
“We regularly DM people who have had their crypto assets stolen. We also contact victims we discover on-chain,” ZachXBT told us. BleepingComputer. “We ask potential LastPass victims multiple questions and generally have one thing in common: LastPass.”
Brute forcing of the vaults
In August 2022, LastPass suffered a data breach that allowed the attackers to get away with people’s password vaults. You can think of these as encrypted folders where all passwords are stored. However, without the master password it is impossible to decrypt the folder and access its contents: passwords for other services.
That doesn’t mean the attackers can’t try to get in using specialized hardware and software. If the master password is relatively weak (a simple combination, for example), they may be able to crack it.
“Depending on the length and complexity of your master password and the repeat count setting, you may want to reset your master password,” LastPass warned at the time of the breach.
And that’s exactly what investigators suspect the attackers did. The idea is that in some vaults people kept their seed phrases: long passwords (12 to 24 words) that allowed the attackers to load the wallets on their own devices and then empty the funds.
When it comes to keeping your cryptocurrencies safe, it is best to follow industry best practices, including purchasing a cold wallet (an offline device) and not storing the seed phrase digitally, but printing it on a piece of paper and saving it. somewhere safe (preferably in multiple locations).