Remember the massive LastPass security breach that LassPass detailed on the Thursday before Christmas? The one where hackers were able to steal a backup containing customer vault data that included both encrypted and unencrypted data? At the time, LastPass tried to assure customers that their data was safe and that it might take attackers a million years to get into user accounts.
About a year after the original LastPass attack started, security experts have now linked crypto thefts targeting more than 150 people to the LastPass breach. And the hackers managed to steal over $35 million worth of crypto after apparently getting access to LastPass vaults.
If it wasn’t clear back in December, you should change all your passwords stored in LastPass and ensure that your accounts have not been compromised. It’s probably also a good idea to ditch LastPass for 1Password or Proton Pass, no matter how long the process takes.
The link between LastPass and crypto heists
There’s no definitive proof that the LastPass security breach is tied to the cumulative $35 million in crypto heists. And LastPass likely wouldn’t acknowledge it either way.
But security researchers who have been investigating recent crypto heists seem to believe that’s the only thing that makes sense. They believe hackers stole the unique 12-word seed phrases protecting crypto wallets from LastPass accounts after cracking each vault’s master password.
Popular security blog KrebsOnSecurity has a very detailed rundown of events that explain how the hackers were seemingly able to crack the LastPass vaults, despite their encryption.
The blog explains that MetaMask lead product manager Taylor Monahan was the first to link the crypto heists to the LastPass breach. She explained that the victims were not your average internet users who recycle weak passwords with their services.
‘The victim profile remains the most striking thing,’ Monahan wrote. ‘They truly all are reasonably secure. They are also deeply integrated into this ecosystem, [including] employees of reputable crypto orgs, VCs [venture capitalists], people who built DeFi protocols, deploy contracts, run full nodes.’
Monahan concluded in late August that the only common thread was the use of LastPass to protect the seed phrases.
The crypto thefts
The hackers obtained those seed phrases that opened their crypto wallets. That’s how they stole the crypto funds, which might be unrecoverable in most cases. KrebsOnSecurity conducted an interview with a victim, who explained why they stored the seed phrase in a password manager rather than on a piece of paper:
‘I thought at the time that the bigger risk was losing a piece of paper with my seed phrase on it,’ Connor said. ‘I had it in a bank security deposit box before that, but then I started thinking, ‘Hey, the bank might close or burn down and I could lose my seed phrase.”
The anonymous Connor lost $3.4 million worth of crypto on August 27th, 2023. That’s nearly a year after the hackers went after LastPass. He stored the seed phrases for years in his LastPass account before that. He was able to recover $1.5 million of that.
Here’s what I wrote back in December, when LastPass issued that tardive Christmas update about the August 2022 and November 2022 hacks:
Now, the Thursday before Christmas, LastPass issued a notice of a recent security incident where hackers stole a copy of “a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.”
There’s no reason to panic, LastPass seems to indicate. But you also should.
How they might have hacked your LastPass account
At the time, LastPass also said it would take millions of years to guess someone’s master password, which guards all the other passwords you have secured in your vault. Again, here’s what I said:
LastPass also notes that since 2018 it has implemented new security features, including ‘a stronger password-strengthening algorithm that makes it difficult to guess your master password.’
With these default settings in place, ‘it would take millions of years to guess your master password using generally-available password-cracking technology.’ LastPass says there are no recommended actions customers should take at this time if the above applies to your account.
But you’re at risk if your account doesn’t use these defaults. LastPass advises users to minimize risk by ‘changing passwords of website you have stored.’ Every single website. Before Christmas.
So, how could the hackers possibly break into accounts belonging to more than 150 people? They brute-forced their way into them. That’s because LastPass didn’t have uniform, up-to-date security practices in place for all of them. Something the hackers probably knew.
KrebsOnSecurity explains that hackers were working offline, with direct access to those encrypted vaults:
LastPass has always emphasized that if you lose this master password, that’s too bad because they don’t store it, and their encryption is so strong that even they can’t help you recover it.
But experts say all bets are off when cybercrooks can get their hands on the encrypted vault data itself — as opposed to having to interact with LastPass via its website. These so-called ‘offline’ attacks allow the bad guys to conduct unlimited and unfettered ‘brute force’ password cracking attempts against the encrypted data using powerful computers that can each try millions of password guesses per second.
With enough computing power, they could have cracked even the best-secured LastPass accounts. When the victims would have found out about the crypto, it was already too late.
LastPass declined to make any comments to KrebsOnSecurity, citing the ongoing investigation and pending litigation.
What should you do now?
If LastPass customers had changed ALL their account passwords in December, including migrating cryptos to new wallets, they’d be safe now. At least 150 people didn’t. And with the obfuscation in the crypto world, it’s probably impossible to tell how massive the crypto heist is.
It’ll be interesting to see if anyone can establish a clear link between LastPass and the crypto thefts. And whether LastPass will be held liable.
Until then, I’ll repeat what I said in December:
If you are a LastPass customer who is just hearing about hackers potentially stealing your encrypted passwords, you should do at least one thing. Find the time to change all your passwords (master included), and pay extra attention to credit card information and information you’ve stored in notes.
I’d go one step further. I’d transfer all my passwords to a different manager and ditch my LastPass subscription. Even if the hackers need a million years to break into my vault.
If these security findings are true and you never changed your passwords, the hackers might have already breached your LastPass account. But if you don’t hold crypto keys in it, they might have ignored everything else in it so far. That doesn’t mean more nefarious things can’t happen down the road.
While you’re at it, make sure you read KrebsOnSecurity’s report in full to understand how LastPass might have failed you.
\