LastPass hack causes whopping $4.4 mn loss in crypto to victims!

In this digital age where everything is online, cybersecurity personnel advise keeping a password manager that can help you manage multiple passwords that you have set up for different platforms while also creating complex passwords for you. But what if the password manager itself becomes the target of hackers? This is exactly what happened with LastPass, the password manager application owned by GoTo. On October 25, at least 25 LasPass users were targeted by cybercriminals who siphoned over $4.4 million from them in crypto. Let us take a closer look.

LastPass hack: What happened

According to blockchain analyst ZachBXT (via CoinDesk), the popular password manager LastPass has become the latest target of hackers. This is the second cyberattack on the platform in less than a year after hackers gained unauthorized access to LastPass’ third-party cloud-based storage service which is used to store archived backups of production data. 

“Just on October 25, 2023 alone another ~$4.4M was drained from 25+ victims as a result of the LastPass hack. Cannot stress this enough, if you believe you may have ever stored your seed phrase or keys in LastPass migrate your crypto assets immediately”, ZachXBT posted on X.

As part of this latest hack, threat actors compromised 80+ distinct addresses and more than 25 victims, stealing keys and seed phrases to their crypto assets, according to ZachXBT and MetaMask developer Taylor Monahan. Funds from blockchains such as Bitcoin, Ethereum, BNB, Arbitrum, Solana have been siphoned, with estimates putting it at nearly $4.4 million in total.

Continuous thefts

After last year’s hack, LastPass has become the victim of thefts on numerous occasions. According to Monahan, more than 150 people are connected to these thefts which amount to a staggering $35 million in crypto. Interestingly, none of the attacks began as a result of the victim’s phone or email getting compromised.

“The victim profile remains the most striking thing. They truly all are reasonably secure. They are also deeply integrated into this ecosystem, [including] employees of reputable crypto orgs, VCs, people who built DeFi protocols, deploy contracts, run full nodes”, Monohan said.

The list of stolen keys is diverse, with hackers stealing 12 and 24-word seeds, Ethereum presale wallet jsons, wallet.dats, private keys generated via MEWs, and more.

How to protect yourself against password hacks

1. Do not reuse passwords – ALWAYS keep a different password for different platforms.

2. Use random combinations – Passwords that contain a mix of characters, numbers, and symbols are more difficult to guess and are therefore less likely to be hacked.

3. Keep long passwords – You should aim for a password that is at least 8-12 characters long as it takes longer to figure out.

4. Use 2FA/MFA authentication – Most platforms offer additional security layer options like OTPs via email and phone numbers, etc. Use them, you can never be too safe.

5. Use a password manager – A password manager helps you manage multiple passwords that you have set up for different platforms and it can also create complex passwords for you. Moreover, it also stores them securely, away from prying eyes.