LastPass breach comes back to haunt users as hackers steal $12 million in cryptocurrency
The hackers behind the LastPass breach are on a rampage two years after their initial attack
A major data breach at password manager firm LastPass in 2022 is still causing mayhem two years later, with cyber criminals using stolen information to carry out further attacks.
According to data collated by crypto investigator ZachXBT, hackers stole $12.38 million in cryptocurrency from LastPass users on 16 and 17 December.
The attackers drained nearly 150 individual victim addresses, according to the analysis, with ZachXBT noting the stolen money was quickly converted into different currencies and syphoned away.
“The stolen funds were swapped for ETH and transferred to various instant exchanges from Ethereum to Bitcoin,” ZachXBT wrote in his Telegram channel.
This activity is the most recent example of criminal activity linked to the 2022 LastPass breach, with cyber criminals stealing approximately $4.4 million from over 25 victims on 25 October 2023.
Breaking the news, ZachXBT urged readers to move their cryptocurrencies if they might have been impacted by the LastPass incident.
“I cannot stress this enough, if you believe you may have ever stored your seed phrase or keys in LastPass, migrate your crypto assets immediately.”
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
Jamie Moles, senior technical manager at ExtraHop, said the drawn out effects of cyber breaches are becoming all too familiar, noting it’s likely the true scale of the fallout associated with the incident is yet to be fully comprehended.
“This is just the most recent in an ongoing stream of crypto thefts affecting victims of the LastPass breach. With this new information coming to light two years on , we can assume we still don’t understand the full extent of the damage,” he explained.
“The long-tail effects of hacks on even the most sophisticated organisations underscores how important it is to get cybersecurity right in the first place. We know that there are going to be new exploits and unknown threats coming at enterprise and public sector organisations. Using signatures and rules to detect known attack vectors isn’t enough, and it hasn’t been for some time.”
What happened with the LastPass breach?
The original incident, believed to have begun in August 2022, saw hackers use stolen information from a compromised developer environment to eventually lift API tokens, MFA seeds, customer keys, and source code.
On 25 August 2022, Karim Toubba, CEO at LastPass, published a notice warning users that suspicious activity had been detected inside the company’s development environment.
“We have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information. Our products and services are operating normally.”
Although the company said no customer or password information was compromised in September, Toubba issued a statement on 30 November warning that hackers had used information stolen in August to gain access to its third-party cloud storage service.
In December 2022, LastPass found that the hackers were able to access LastPass customer account information as well as backups of the customer vault data.
Compromised data included “unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields, such as website usernames and passwords, secure notes, and form-filled data”.
Finally, in March 2023 LastPass revealed the threat actors behind the attack had gained access to the personal device used by a senior DevOps engineer after reportedly exploiting a vulnerability in their Plex Media software.
The hackers appeared to be looking for decryption keys they could use to access the customer vaults they had stolen in November 2022.
It looks as if these activities were largely successful as the group continued to their rampage draining crypto accounts of users impacted by the breach years after the fact, underscoring the ‘long-tail effect’ breaches can have.
Solomon Klappholz is a Staff Writer at ITPro. He has experience writing about the technologies that facilitate industrial manufacturing which led to him developing a particular interest in IT regulation, industrial infrastructure applications, and machine learning.