In late 2022, LastPass suffered a major security breach that, to this day, is still haunting the company and its customers. Now, a new crypto heist has also been linked to that breach. According to blockchain sleuth ZachXBT (via The Block), around $5.36 million has now been stolen from over 40 victims’ wallets that are linked to the 2022 hack.
“Stolen funds were swapped for ETH and transferred to various instant exchanges from Ethereum to Bitcoin,” ZachXBT wrote in his Telegram group message.
In early 2023, LastPass started telling customers about this hack, which eventually led to others. At that time, the company said that “a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.”
However, the data breach was way worse. LastPass parent company eventually revealed that the hackers didn’t just steal encrypted passwords from LastPass consumers. They also downloaded encrypted backups from various GoTo products, putting the security of GoTo customers at risk.
After that, ZachXBT identified two batches of cryptocurrency hacks in October 2023, which stole $4.4 million, and another in February, with a loss of over $6.2 million.
Now, there’s a new $5.36 million heist, which shows that the data breach might continue to haunt LastPass and its customers for a few more years. On an X post last year, ZachXBT wrote: “Cannot stress this enough, if you believe you may have ever stored your seed phrase or keys in LastPass migrate your crypto assets immediately.”
That said, the best way to protect yourself is to migrate from LastPass, change your passwords, and, change your seed phrase or keys from your crypto assets as soon as possible.
Update: LastPass sent a statement about the latest crypto heist:
“A year has passed since initial claims surfaced alleging a link between certain cryptocurrency thefts and the 2022 LastPass security incidents. In that time, LastPass has investigated these claims and to date is not aware of any conclusive evidence that directly connects these crypto thefts to LastPass. Because we take any claims regarding the security of LastPass and our customers seriously, we continue to invite any security researchers who believe they may have evidence to contact the LastPass Threat Intelligence team at securitydisclosure@lastpass.com,” said Christofer Hoff, Chief Secure Technology Officer