Over the past days, discussions of a serious incident in the field of cybersecurity related to the compromising data of Lastpass manager users have intensified. Researchers of cryptocurrency frauds revealed the theft of crypto assets worth $ 4.4 million, carried out on October 25.
According to the researchers, criminals were able to carry out the theft by using private keys and password phrases stolen from Lastpass databases. Zachxbt researcher, also known as “ZA,” and Metamask developer Taylor Monakhan discovered a series of similar thefts in which people lost their cryptocurrency assets. Zak said, “We regularly receive messages from people who have lost their crypto assets. We also turn to the victims that we find in the blockchain.”
A common factor among all the victims during the study was their use of Lastpass. This service has experienced two significant security breaches in 2022, in August and December, during which attackers gained access to the source code, customer data, and backup copies stored in cloud services, including encrypted passwords.
Initially, it was believed that encrypted storage remained inaccessible to hackers since it requires a master password known only to the user. However, the recent events suggest that the attackers were able to hack into some of the storage facilities.
Based on the study, criminals are using the hacked data to access victims’ cryptocurrencies and withdraw funds. In August, Monakhan had already pointed out that in most cases, the stolen keys were obtained from Lastpass. He stated, “The number of victims who exclusively stored their keys in Lastpass is too large to ignore.”
In light of this new information, Lastpass users, especially those who were using the service during the incidents in August and December 2022, are strongly advised to change all their passwords, including the master password, to prevent potential financial losses.