LastPass Hack Drains $4.4 Million From Users, Urgent Asset Migration Advised

Users of the LastPass password manager application have now lost $4.4 million worth of crypto assets in a single day. This development comes a year after LastPass shared that hackers had gained access to its cloud storage keys and dual storage container decryption keys.

LastPass Users Urged To Move Crypto Assets As 25 Fall Victim To Hack

This latest asset loss by LastPass users was revealed by on-chain investigator ZachXBT via an X post on October 27. 

Through a combined probe with a fellow investigator with X handle @tayvano_, it was discovered that approximately $4.4 million in digital assets were stolen from 85 distinct wallets belonging to 25 LastPass users.

Just on October 25, 2023 alone another ~$4.4M was drained from 25+ victims as a result of the LastPass hack.

Cannot stress this enough, if you believe you may have ever stored your seed phrase or keys in LastPass migrate your crypto assets immediately. pic.twitter.com/26HsxrlnCb

— ZachXBT (@zachxbt) October 27, 2023

In a cautionary note in the same post, ZachXBT also warned all LastPass users to transfer their crypto assets to new wallet addresses in order to avoid future losses.

For context, LastPass offers a password management service, helping users store the seed phrase in their crypto wallet. A seed phrase represents a set of words unique to each wallet, which grants access to the assets stored in the said wallet. 

On August 8, 2022, a hacker gained access to the corporate laptop of a LastPass software engineer, allowing the bad actor to infiltrate the company’s system, stealing some source code, confidential technical documentation, and internal system secrets. 

Using this data, the hacker extracted 14 of LastPass’s 200 source code repositories. 

Over the next few days, the hacker initiated a larger attack, obtaining a copy of the LastPass customer database, which held information such as unencrypted account information, along with associated metadata and settings like multi-factor authentication options. 

On August 25, 2022, the company’s CEO Karim Toubba claimed the hack had been contained and stated that the data comprised had occurred in its development section, which does not contain any personal user data.

However, in a series of tweets in August 2023,  @tayvano_ claimed that over 1200 BTC, valued at $32 million, had been stolen from wallets linked to LastPass users in the last year following the security breach. 

Such reports, in addition to the latest theft incident, have contributed to heightening calls for users to ditch wallet addresses linked to the password management services. 

Crypto Hacks In 2023

According to a July report by blockchain security firm Peckshield, crypto hacks still account for one of the major causes of asset loss in 2023.

Peckshield stated that in H1 2023 alone, over 395 hacks occurred in the crypto space, culminating in losses valued at about $479.9 million. While these figures represent a massive decline from the $2.43 billion recorded in H1 2022, it can still be considered quite significant in terms of investors’ interest.

At the time of writing, the total crypto market is valued at $1.26 trillion, with a 0.22% gain in the last day, based on data from CoinMarketCap.