A devastating security breach at LastPass has resulted in millions of dollars in cryptocurrency theft from users' digital wallets. The latest incident, occurring just before Christmas, saw hackers steal $5.36 million from approximately 40 LastPass users.
This recent theft adds to an alarming pattern of cryptocurrency losses tied to a major LastPass security breach from August 2022. During that breach, attackers gained access to critical customer data, including encrypted password vaults and authentication tokens.
According to blockchain investigator ZachXBT, the stolen funds were converted to Ethereum and moved across multiple exchanges in an attempt to hide their origin. This latest incident follows similar attacks in October 2023 and February 2024, where hackers stole $4.4 million and $6.2 million respectively.
The total damage from LastPass-related cryptocurrency thefts has now reached approximately $45 million, affecting over 150 users since the initial 2022 breach. Most victims had stored their cryptocurrency seed phrases within their LastPass vaults.
Security experts warn that even users who have switched to different password managers remain at risk if they continue using compromised passwords. They recommend immediately transferring any cryptocurrency assets to new, secure wallets if seed phrases were previously stored in LastPass.
The Security Alliance (SEAL) has issued an alert specifically for pre-2023 LastPass users who stored cryptocurrency-related information. They advise users to:
- Move assets to new secure wallets immediately
- Reconfigure smart contracts with new addresses
- Enable strong two-factor authentication
- Avoid using public WiFi for sensitive transactions
The holiday season has made users particularly vulnerable, as increased online activity and reduced vigilance create additional opportunities for attackers to exploit stolen data.