LastPass, the popular password manager service, revealed in November 2022 that it had experienced a breach in which hackers gained access to password vaults containing encrypted and plaintext data belonging to more than 25 million users. Since then, there has been a series of cryptocurrency heists targeting individuals in the tech industry, leading experts to believe that the hackers may have successfully cracked open some of the stolen LastPass vaults.
One of these experts is Taylor Monahan, the founder and CEO of MetaMask, a software cryptocurrency wallet used for interacting with the Ethereum blockchain. Monahan and other researchers have been investigating the recent thefts, which have targeted over 150 people and resulted in the loss of more than $35 million worth of crypto. Surprisingly, the victims are all experienced cryptocurrency investors and security-conscious individuals who have not fallen victim to the typical attacks that precede such heists, such as compromised email or mobile phone accounts.
Monahan has been documenting these thefts on Twitter since March 2023, expressing frustration at the lack of a common cause among the victims. However, on August 28, she announced that she had discovered a common thread connecting almost every victim: they had used LastPass to store their “seed phrase,” which is the private key required to access their cryptocurrency investments.
The seed phrase is essentially the key to the money in a cryptocurrency wallet, and anyone with access to it can transfer the funds to another account. Cybersecurity enthusiasts typically store their seed phrases in encrypted containers, such as password managers, or on offline hardware encryption devices. However, it appears that many victims had stored their seed phrases in LastPass, making them vulnerable to the thefts.
Nick Bax, director of analytics at Unciphered, a cryptocurrency wallet recovery company, closely reviewed the data collected by Monahan and others and reached the same conclusion. He describes it as one of the most extensive and complex cryptocurrency investigations he has seen, with clear evidence linking the stolen funds and victims.
The researchers have identified a unique signature that links the thefts, but they have chosen not to publish it to avoid alerting the attackers. However, they have published findings on the similarities in how the stolen funds were laundered through specific cryptocurrency exchanges and how the attackers grouped victims together by sending their cryptocurrencies to the same destination wallets.
By analyzing these destination addresses, the researchers have been able to track down and interview new victims, including an employee at Chainalysis, a blockchain analysis firm that assists law enforcement in tracking down cybercriminals and money launderers. The employee confirmed being a victim of a high-dollar cryptocurrency heist but declined to provide further details.
The only commonality among the victims interviewed is that they stored their seed phrases in LastPass. Bax urges friends and family members who use LastPass to change all their passwords and migrate any exposed crypto, despite the inconvenience involved.
LastPass has declined to comment on the research, citing an ongoing law enforcement investigation and pending litigation stemming from its 2022 data breach. The company has cooperated with law enforcement and shared technical information and indicators of compromise to aid in the identification of the responsible parties.
LastPass suffered multiple breaches in 2022, with the initial intrusion occurring in August. Although the company initially stated that customer data and password vaults were not compromised, a subsequent security incident in November revealed that encrypted copies of password vaults and other personal information had been compromised. The attackers targeted a DevOps engineer who had access to the corporate vault by exploiting a vulnerability in a Plex media server running on the employee’s home network. The attackers installed keylogger malware that captured the employee’s master password.
In light of these incidents, experts advise against storing seed phrases in LastPass or any password manager. Instead, they recommend using encrypted containers or offline hardware encryption devices to ensure the security of valuable cryptocurrency investments.