Remember the massive LastPass security breach reported by LastPass on the Thursday before Christmas? What types of hackers can steal backups containing customer storage data, including encrypted and unencrypted data? At the time, LastPass tried to assure customers that their data was secure and that it would take millions of years for attackers to access users' accounts.
Fun technologies. Science. Your mailbox
Subscribe to get the latest tech and entertainment news.
By registering, I accept the Terms of Use and have read the Privacy Policy.
Nearly a year after the first attack on LastPass, security experts have linked the cryptocurrency theft that affected more than 150 people to the LastPass hack. Hackers managed to steal more than $35 million in cryptocurrency after gaining access to LastPass vaults.
If the problem isn't resolved by December, change all passwords stored in LastPass and make sure your account hasn't been compromised. No matter how time consuming the process may be, ditching LastPass in favor of 1Password or Proton Pass may be worth it.
The connection between LastPass and cryptocurrency theft
There is no concrete evidence that the LastPass security breach is related to the theft of the estimated $35 million worth of cryptocurrency. And LastPass probably doesn't support it.
But security researchers think that's all they've seen in recent cryptocurrency thefts. After cracking each vault's master password, hackers believe they stole a unique 12-word phrase that protects LastPass accounts' crypto wallets.
Popular security blog KrebsOnSecurity provides a very detailed account of the incidents, explaining how hackers were able to break into LastPass vaults even though they were encrypted.
The blog explains that Metamask senior product manager Taylor Monahan was the first to link cryptocurrency theft to the LastPass hack. He explains that the victims are not ordinary internet users who use their services to crack weak passwords.
"The victim profile remains the most intriguing feature," Monahan wrote. “Everyone is completely safe. Also deeply integrated into this ecosystem are employees of large crypto firms, venture capitalists, who create DeFi protocols, deploy contracts, and run entire nodes.
In late August, Monahan concluded that the only common thread in maintaining genealogy is the use of LastPass.
Cryptocurrency Theft.
The hackers received a pedigree that unlocked their crypto wallet. In this way they steal crypto funds, which in many cases cannot be returned. KrebsOnSecurity interviewed the victim, who explained why he put the seed phrase in a password manager and not on paper:
"At the time, I thought the biggest risk was losing the paper with my password," Conner says. "I was going to put it in a bank vault, but I started thinking, 'Hey, the bank might close or burn down and I'll lose my first words.'
Anonymous Connor On August 27, 2023, almost a year after hackers attacked LastPass, it lost $3.4 million in cryptocurrency. Before that, he kept the first phrase in his LastPass account for years. He was able to recover $1.5 million of this money.
Here's what I wrote in December when LastPass posted a late Christmas update about the August 2022 and November 2022 hacks:
Now , in a LastPass warning on the Thursday before Christmas, hackers "stolen customer storage backup data from encrypted storage containers in a proprietary binary format containing unencrypted data, such as website URLs, as well as copies of unencrypted data." Fully encrypted sensitive fields, such as website usernames and passwords, secure notes and data, and fillable forms.
No reason to panic, LastPass seems to confirm. But you have too.
How your LastPass account was hacked
At the time, LastPass also said it would take millions of years to guess a person's master password, which protects all other passwords they've saved in the vault. Again, that's what I said.
LastPass has introduced new security features since 2018, which "strong password strengthening algorithm makes it difficult to guess the master password."
Given these default settings, "it would take millions of years to capture your master password using publicly available password cracking technology." LastPass says it is not currently recommending actions to customers if the above applies to their account.
But if your account doesn't use these default settings, you're at risk. LastPass advises users to reduce risk by "changing passwords on secure websites." Each site. Before Christmas.
So how did the hackers get access to the accounts of more than 150 people? They forcefully entered. This is because LastPass lacks a consistent and up-to-date security system. Here's what hackers know.
KrebsOnSecurity explains that hackers were working offline, directly accessing encrypted storage:
LastPass always emphasizes that it's a shame if you lose your master password because they don't store it and their encryption is so strong that they can't help you recover it.
But experts say all bets are off when cybercriminals find the encrypted data themselves instead of contacting LastPass through the website. These so-called "offline" attacks allow criminals to use sophisticated computers capable of millions of password attempts per second to crack unlimited, unlimited "brute force" passwords on encrypted data.
With enough computing power, you can hack even the most secure LastPass accounts. By the time the victims discovered the cryptocurrency, it was too late.
LastPass declined to comment to KrebsOnSecurity , citing the ongoing investigation and litigation.
What are you going to do now?
LastPass customers will now be safe by moving all their account passwords, including their crypto, to a new wallet in December. At least 150 people did not. And because of the confusion in the secret cryptocurrency world, it can be impossible to know how much stolen cryptocurrency is.
It will be interesting to see if anyone can make a clear connection between LastPass and cryptocurrency theft. And LastPass will be responsible for it.
In the meantime, I will repeat what I said in December:
If you're a LastPass customer and have just learned that hackers can steal your encrypted passwords, there's at least one thing you should do. Take the time to change all of your passwords (including your master password) and pay special attention to your credit card information and the information you keep on file.
I will continue. I will transfer all my passwords to another service provider and cancel my LastPass subscription. Even if it takes millions of years for hackers to break into my vault.
If these security findings are correct and you've never changed your password, hackers may have compromised your LastPass account. But if you don't store your encryption keys on it, you've probably ignored everything on it until now. But that doesn't mean worse things can't happen in the future.
While you're at it, be sure to read KrebsOnSecurity's full report to understand how LastPass can let you down.