Zachxbt Ties $12.38 Million Crypto Drain to Lastpass Breach; 100 Victimized Wallets

December 17, 2024 Bitcoin.com

LastPass threat actor steals $5.4M from victims just a week before Xmas

December 17, 2024 Coin Telegraph

$4,500,000 in Crypto Stolen From Victims of LassPass Hack in One Day Alone: On-Chain Data

October 31, 2023 The Daily Hodl

Crypto thief steals $4.4M in a day as toll rises from LastPass breach

October 30, 2023 Coin Telegraph

Crypto thief steals .4M in a day as toll rises from LastPass breach

Coin Telegraph

Estimates in September revealed that at least $35 million in crypto has been stolen from victims of the LastPass breach since 2022, with the latest hack adding to the toll.

At least 25 people have reportedly seen $4.4 million in crypto drained from across 80 wallets due to a 2022 data breach that impacted password storage software LastPass.

In an Oct. 27 X (Twitter) post, pseudonymous on-chain researcher ZachXBT said they and MetaMask developer Taylor Monahan tracked the fund movements of at least 80 wallets compromised on Oct. 25.

“Most, if not all, of the victims are longtime LastPass users and/or confirm having stored their [crypto wallet] keys/seeds in LastPass,” Monahan said in an accompanying Chainabuse report.

Just on October 25, 2023 alone another ~$4.4M was drained from 25+ victims as a result of the LastPass hack.

Cannot stress this enough, if you believe you may have ever stored your seed phrase or keys in LastPass migrate your crypto assets immediately. pic.twitter.com/26HsxrlnCb
— ZachXBT (@zachxbt) October 27, 2023

In December 2022, LastPass disclosed an attacker leveraged information previously stolen in a breach that August to target a LastPass employee, snagging their credentials and decrypting stored customer information.

Also stolen was a backup of encrypted customer vault data which LastPass warned could be decrypted if the attacker brute force guesses the account’s master password.

In a September blog post, cybersecurity journalist Brian Krebs reported some of the LastPass customer vaults had seemingly been cracked and over $35 million worth of crypto had been stolen from around 150 victims.

In January, LastPass was hit with a class-action suit from individuals claiming the August 2022 breach resulted in the theft of around $53,000 worth of Bitcoin (BTC).

In his latest X post, ZachXBT advised anyone who ever stored a wallet seed or private key in LastPass to “migrate your crypto assets immediately.”

Magazine: Deposit risk: What do crypto exchanges really do with your money?

LastPass data breach led to $53K in Bitcoin stolen, lawsuit alleges

January 5, 2023 Coin Telegraph

Breach

A class action is seeking damages from the password manager following a data breach in August 2022.

A class action lawsuit has been filed against password management service LastPass following a data breach from Aug. 2022.

The class action was filed with the U.S. district court of Massachusetts on Jan. 3, by an unnamed plaintiff known only as “John Doe” and on behalf of others similarly situated.

It alleges that the data breach of LastPass has resulted in the theft of around $53,000 worth of Bitcoin.

The plaintiff claimed he began accruing BTC in Jul. 2022 and updated his master password to more than 12 characters using a password generator, as recommended by the LastPass “best practices.”

This was done to enable the storage of private keys in the seemingly secure LastPass customer vault.

When news of the data breach broke, the plaintiff deleted his private information from his customer vault. LastPass was hacked in Aug. 2022, with the attacker stealing encrypted passwords and other data, according to a December statement from the company.

Despite the quick action to delete the data, it appeared to be too late for the plaintiff. The lawsuit read:

“However, on or around Thanksgiving weekend of 2022, Plaintiff’s Bitcoin was stolen using the private keys he stored with Defendant [LastPass].”

“The LastPass Data Breach has, through no fault of his own, exposed him to the theft of his Bitcoin and exposed him to continued risk,” it added.

The suit claims that victims have been put at increased substantial risk of future fraud and misuse of their private information, which may take years to manifest, discover, and detect.

LastPass is being accused of negligence, breach of contract, unjust enrichment, and breach of fiduciary duty, however, the figure sought in damages was not specified.

According to cybersecurity researcher Graham Cluley, the stolen data includes unencrypted information including company names, user names, billing addresses, telephone numbers, email addresses, IP addresses, and website URLs from password vaults.

r/t LostPass?

After the LastPass hack, here’s what you need to know...https://t.co/8x47Vze0lb
— Graham Cluley (@gcluley) January 4, 2023

In December, LastPass admitted that if customers had weak Master Passwords, the attackers may be able to use brute force to guess this password, allowing them to decrypt the vaults.

Lastpass Data Breach Frightens Users, Some Say Hack ‘May Be Worse Than They Are Letting on’

December 25, 2022 Bitcoin.com

Lastpass

Share this video