LastPass: Revenge of the Breach

If you’re a regular reader of this blog (or if you follow security/tech news), you may have heard about the most recent (and worst) LastPass password manager hack that the public became aware of in late 2022/early 2023.

The hack was quite bad – it involved the attackers stealing user’s encrypted password vaults. At the same time, it also came to light that LastPass had not always followed best practices in storing and encrypting vaults – especially those vaults of long-time users.

While LastPass was quick to assure customers that they had fixed the problem(s) that led to the hack and the stealing of customer data, there is no way for them to retroactively fix the stolen vaults. And since those vaults were more poorly encrypted, those customers were more in danger of having those vaults cracked.

It Finally Happened…Probably

According to a recent article on Krebs on Security (an excellent security blog), it looks like the worst fears of LastPass users is coming to pass. There is strong evidence that not only are stolen vaults are being cracked – but that the data is being used to steal millions of dollars in Bitcoin and other cryptocurrency.

Essentially, over 150 individuals that are big in the cryptocurrency scene – and also appear to have generally good security practices – have had their cryptocurrency accounts drained without any of the usual warning signs the indicate a target malware of phishing campaign.

Additionally, the drained accounts were across a variety blockchain and cryptocurrency types. These users generated their “seed phrases” using a variety of different methods – both hardware and software. And finally, these seed phrases were not short – generally 12-24 words long.

(For those unfamiliar, the seed phrase is essentially the private key that lets a user interact with their cryptocurrency wallet.)

While the seed phrases were unique and the cryptocurrency was varied, the one thing that all these users did have in common, though, is that all these individuals stored their seed phrases in LastPass.

While this isn’t a smoking gun, it does mean that if you have stored any important information (especially cryptocurrency or other financial information) in LastPass, it is very likely that people are actively attempting to break into the vaults that were stolen, and your vault could be one of those.

And remember that one of the reasons why I left LastPass was that many of the password vaults that were stolen were using a weaker encryption mechanism that leaves the vaults more susceptible to cracking. But since some of the metadata (like the website that a password is for) was not encrypted, it’s possible for attackers to find the most rewarding vaults and triage their cracking efforts.

What to Do About It

Basically, as big of a pain as it is, you need to change everything that is important.

It’s unlikely that anyone will try to get into your random forum account or your Netflix account. But it is likely that sooner or later, someone will see that your cryptocurrency, or bank account, or Gmail account in one of the cracked vaults. When that happens, your only security will be 2FA (if you have it) or having changed your password.

And don’t forget – while these current attacks appear to be prioritizing cryptocurrency, it’s highly likely that stolen vaults – once drained of cryptocurrency – will show up on the Dark Web for sale to the highest bidder. When that happens, a whole new wave of attacks against second-tier accounts (email and banking, most likely) will begin.

Don’t wait!