Recent reports estimate that a total of $35 million in cryptocurrency has been purloined from victims of the 2022 LastPass breach. The situation has taken a new twist with the latest hack.
Approximately 25 individuals have allegedly fallen victim to the loss of $4.4 million in cryptocurrency across 80 wallets, all due to a data breach that took place in 2022, affecting the password management software LastPass.
In a tweet dated October 27th, an on-chain researcher using the pseudonym ZachXBT revealed that he and Taylor Monahan, a developer associated with MetaMask, have been tracing the movements of funds from at least 80 wallets that were compromised on October 25th.
Monahan explained in a report by Chainabuse that most, if not all, of the victims have a history of being LastPass users and have indicated that they stored their crypto wallet keys or seeds in LastPass.
LastPass had previously disclosed in December 2022 that an attacker had used information from a prior breach in August to target one of their employees, obtaining the employee’s credentials and decrypting stored customer data. Additionally, a backup of encrypted customer vault data was stolen, and LastPass warned that it could be decrypted if the attacker were to guess the account’s master password through brute force.
Cybersecurity journalist Brian Krebs reported in a September blog post that it appeared some of the LastPass customer vaults had been compromised, leading to the theft of over $35 million in cryptocurrency from around 150 victims.
LastPass faced a class-action lawsuit in January, as individuals claimed that the August 2022 breach had resulted in the theft of approximately $53,000 worth of Bitcoin.
In light of these recent developments, ZachXBT recommended in his latest tweet that anyone who has ever stored a wallet seed or private key in LastPass should promptly transfer their crypto assets to a more secure location.