LastPass under fire again as users report stolen crypto keys and losses
Repercussions from the 2022 LastPass hacks continue to linger. The company is now facing a new barrage of allegations tied to compromised data and stolen crypto funds.
X (formerly Twitter) users have been spreading reports of unexplained cryptocurrency wallet depletions, with certain individuals linking these crypto heists to the 2022 breaches of the widely-used password manager, LastPass.
“At this point I'm also confident in saying that, in most of these cases, the compromised keys were stolen from @LastPass,” a tweet by X user Tay reads.
We reached out to Tay to see if they'd be willing to share more details about the alleged crypto heists, but haven’t heard back from them yet.
According to the user, attackers have stolen at least $32 million from “individuals who took steps to stay secure.”
The user has put together a graph tying crypto thefts throughout the last six months – December 2022 through July 2023. Just a reminder that LastPass admitted to first hack on August 25th, 2022, and then the second time – November 30th, 2022.
Now, the user is claiming that attackers are using stolen crypto keys from the LastPass password manager, and is urging everyone to migrate.
“Additionally, most users who had their wallets drained had extremely secure @LastPass passwords. It would be legitimately impossible to brute force them. Which means that either someone has compromised hundreds of users' vaults one-by-one via a still undetected method or… it means that @LastPass has still not shared some critical details about their security posture and the stuff that was compromised by the attackers. I want to emphasize strongly that @LastPass can and should be doing more here. They are a disgusting failure of a company,” Tay elaborates.
Cybernews can’t independently verify the legitimacy of the claims. However, this is not the first time that the password manager has been subject to similar accusations.
At the beginning of the year, LastPass was hit with a lawsuit over the alleged theft of over $50,000 as a result of LastPass breaches in 2022. The complainant blamed the password manager for losing their bitcoin despite adhering to the best cybersecurity practices and deleting information immediately after the news about the breach.
“Upon learning of the Data Breach, the Plaintiff deleted his private information from his customer vault. However, on or around Thanksgiving weekend of 2022, the Plaintiff’s Bitcoin was stolen using the private keys he stored with Defendant,” the lawsuit reads.
Cybernews reached out to LastPass to give the company a chance to respond to the latest claims of crypto heists. It chose not to comment on the specific allegations as the investigation is still ongoing, so we are sharing their response in full, unredacted.
Karim Toubba, CEO of LastPass, update to Cybernews:
“Since last year’s attack on LastPass, we have remained in contact with law enforcement and we have shared various technical information, Indicators of Compromise (IOCs), and threat actor tactics, techniques, and procedures (TTPs) with our law enforcement contacts as well as our internal and external threat intelligence and forensic partners in an effort to try and help identify the parties responsible. We have no further updates to share at this time. Last year’s incident remains the subject of an ongoing investigation by law enforcement and is also still the subject of pending litigation. In the meantime, we encourage any security researchers to share any useful information they believe they may have with our Threat Intelligence team by contacting [email protected].
In March, LastPass issued two Security Bulletins – one for Free, Premium, and Families consumer users, and one tailored specifically for Business and Teams users – each designed to help users better secure their LastPass account and assist with their own incident-response efforts. Then, in April, LastPass announced the expanded availability of its Security Dashboard and associated dark web monitoring and alerting, providing proactive credential monitoring for all customers, including those using the product for free. The Security Dashboard is a central hub where customers can monitor the overall security of their vault credentials, including exposure to the dark web, which allows customers to better protect themselves from potential breaches.”
More from Cybernews:
Subscribe to our newsletter