Internet security experts are claiming that some of the LastPass password vaults stolen during a security breach near the end of 2022 have now been cracked open following a string of six-figure cryptocurrency thefts.
A prominent cybersecurity blogger reports that several researchers have identified a "highly reliable set of clues" that seemingly connect over 150 victims of crypto theft with the LastPass service. Over $35 million in crypto has reportedly been stolen so far, with two to five high-value heists occurring each month since December 2022.
The lead product manager at crypto wallet company MetaMask, who is one of the key researchers investigating the attacks, agreed, concluding that the common thread connecting the victims was that they had previously used LastPass to store their "seed phrase" — a private digital key that is required to access cryptocurrency investments. These keys are often stored on encrypted services like password managers to prevent bad actors from gaining access to crypto wallets. The stolen funds were also moved to the same blockchain addresses, further linking the victims.
Password management service LastPass suffered two known security breaches in August and November last year, with hackers using information obtained during the first breach to access shared cloud storage containing customer encryption keys for vault backups during the latter incident. The LastPass CEO stated that last November's security breach remains "the subject of an ongoing investigation by law enforcement and is also the subject of pending litigation." Jess Weatherbed "Experts link LastPass security breach to a string of crypto heists" theverge.com (Oct. 16, 2023)
Using password managers is often high on the list of best practices because they can generate long, strong, and secure passwords, supply login credentials quickly, can often be accessed from various platforms, and operate so that the user has but one master password to remember.
However, the downside to using a password manager is illustrated by the breach of LastPass servers. The theft of the master password places data at risk.
If you are not using a password manager, there are best practices organizations should follow.
First, regularly change passwords and make your passwords longer and unique.
Critical accounts such as email, banking, financial, or government services accounts should have their passwords changed at least quarterly. The passwords should be at least 12 characters and should include letters, numbers, and symbols - and not in a pattern.
Second, use two-factor authentication (TFA) on every account where it is offered. Remember, however, that if an email account is hacked, or your telephone number is reassigned without your knowledge, TFA safeguards may not provide adequate protection. Be sure email account passwords are protected and that any changes to phone service requires a PIN, provided by the carrier on your request.