The 2022 LastPass breach continues to wreak havoc, with recent reports revealing further devastating losses for users. Blockchain expert ZachXBT, as reported by The Block, has uncovered that $5.36 million was stolen from 40 users in a series of attacks. This follows previous losses of $4.4 million in October 2023 and $6.2 million in February 2024, compounding the damage from the initial breach.
The original incident in 2022 saw hackers gain access to LastPass’s sensitive data, including API tokens, customer keys, multifactor authentication (MFA) seeds, and encrypted password vaults. While the exact method of the breach remains unclear, it’s suspected that the perpetrators leveraged compromised information to facilitate their attack. Despite the encryption of password vaults, hackers exploited weak or reused passwords, leading to the compromise of numerous accounts.
ZachXBT’s warning from last year on X (formerly Twitter) remains critically relevant: “Cannot stress this enough, if you believe you may have ever stored your seed phrase or keys in LastPass migrate your crypto assets immediately.”
The ongoing nature of these attacks raises serious concerns about the security of LastPass. The initial breach stemmed from the theft of the LastPass app’s source code. A subsequent attack saw the hackers combine this stolen data with information obtained from another data breach.
Exploiting a vulnerability in a remote-access application used by LastPass employees, the hackers installed a keylogger on the computer of a senior engineer. This keylogger captured all keystrokes, providing access to sensitive information.
This situation underscores the critical importance of strong, unique passwords for all online accounts. Avoid reusing passwords or using easily guessable combinations. Password generators can be invaluable tools for creating strong, complex passwords if you find it challenging to do so manually.
