Password storage provider LastPass suffers major breach, compromising 80 wallets and impacting crypto ecosystem
About 25 people using LastPass lost more than $4 million in cryptocurrencies in a single day. Even worse, the security breach dates back to December 2022 which compromised at least 80 wallets.
The breach occurred in 2022, with the cybercriminals specifically targeting seed phrases and wallet keys to steal cryptocurrencies. The theft was not a one-time event but continued over a period, with the thief draining funds from victims' wallets. This incident is not the first of its kind, as a similar breach in August 2022 resulted in the theft of over $35 million worth of crypto from over 150 LastPass customers.
Taylor Monahan, founder of MyCrypto and MyEtherWallet, and who frequently shares her onchain findings on X (formerly Twitter), remarked that the most "striking thing" about the attach was the profiles of the victims. They are people deeply integrated into the crypto ecosystem such as people who work at reputable crypto companies, venture capitalists, blockchain developers, etc. At the same time, the hackers targeted a very diverse set of key types, as well as chains and coins.
<blockquote class="twitter-tweet"><p lang="en" dir="ltr">The victim profile remains the most striking thing. <br><br>They truly all are reasonably secure. <br><br>They are also deeply integrated into this ecosystem: employees of reputable crypto orgs, VCs, people who build defi protocols, deploy contracts, run full nodes, and have ENS name*s*</p>— Tay 💖 (@tayvano_) <a href="https://twitter.com/tayvano_/status/1696222658151727445?ref_src=twsrc%5Etfw">August 28, 2023</a></blockquote><script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>
In the wake of the breach, security experts are advising LastPass users to move their assets stored in LastPass as soon as possible. Anyone who has ever stored their wallet seed or private key in LastPass should migrate their crypto assets immediately to prevent further losses. This incident underscores the importance of securing sensitive information and the potential risks associated with storing crypto wallet keys or seed phrases in password management systems.
The breach has also led to legal repercussions for LastPass, which is now facing a class-action lawsuit. The lawsuit is likely to focus on the company's security measures and its responsibility to protect user data. The outcome of this lawsuit could have significant implications for other password storage providers and the broader tech industry.