LastPass data breaches behind crypto heists worth Rs. 300cr: Experts
Security experts are sounding the alarm as they uncover a concerning connection between a series of cryptocurrency heists and the 2022 LastPass data breaches. In a shocking revelation, it has been reported that over 150 victims of crypto theft have had their LastPass password vaults compromised, resulting in the theft of over $35 million (nearly Rs. 290 crores) in cryptocurrencies.
The link between LastPass and cryptocurrency heists
Researchers, including Taylor Monahan from MetaMask, have identified a common thread among the victims of cryptocurrency theft: they had previously used LastPass to store their "seed phrases." A seed phrase is a crucial cryptographic key required to access cryptocurrency investments, often stored securely on encrypted services like password managers. The stolen funds were traced to the same blockchain addresses, further cementing the connection between the victims and the LastPass security breaches.
LastPass's troubled history
LastPass, a popular password guidance service, faced two well-documented data breaches in August and November of 2022. During the second breach, hackers gained access to shared cloud storage containing customer encryption keys for vault backups. The question remains whether any of the stolen password vaults have been successfully cracked open, granting cybercriminals access to sensitive information.
LastPass's response and ongoing investigations
In a statement to The Verge, LastPass CEO Karim Toubba has confirmed that the November 2022 data breach is the subject of an ongoing investigation by law enforcement and is also tied to pending litigation. However, the company has not addressed the potential connection between the two breaches and the reported cryptocurrency thefts. Users and security experts await further clarification on this matter.
Security experts' urgent recommendations
Nick Bax, head of analytics at crypto wallet improvement firm Unciphered, has echoed the concerns raised by Monahan in an interview with KrebsOnSecurity. He urged LastPass users to take immediate action. He advises changing all passwords and migrating any exposed cryptocurrency holdings to safer platforms. This precautionary measure is seen as vital, despite the inconvenience it may cause.
