A major data breach at password management company LastPass in 2022 continues to wreak havoc two years later, with cybercriminals using stolen information to carry out new attacks.
According to data collected by crypto investigator ZachXBT, hackers stole $12.38 million in cryptocurrency from LastPass users on December 16-17.
The attackers dumped nearly 150 individual victim addresses, according to the analysis, with ZachXBT noting that the stolen money was quickly converted into different currencies and siphoned off.
“The stolen funds were exchanged for ETH and transferred to various instant exchanges from Ethereum to Bitcoin,” ZachXBT wrote on his Telegram channel.
This activity is the most recent example of criminal activity related to the 2022 LastPass breach, with cybercriminals stealing approximately $4.4 million from more than 25 victims on October 25, 2023.
Latest news, ZachXBT exhorted readers to move their cryptocurrencies if they might have been affected by the LastPass incident.
“I cannot stress this enough: if you think you have already stored your seed phrase or keys in LastPass, migrate your crypto assets immediately.”
Jamie Moles, senior technical director at ExtraHop, said the prolonged effects of cyber breaches are all too familiar, noting that it is likely that the true scale of the fallout associated with the incident is not yet fully understood .
“This is just the latest in a continuing stream of cryptocurrency thefts affecting victims of the LastPass breach. With this new information revealed two years later, we can safely assume that we still do not understand the full extent of the damage,” he explained.
“The long-term effects of hacks on even the most sophisticated organizations highlight how important it is to ensure good cybersecurity from the start. We know that new exploits and unknown threats will arise in businesses and public sector organizations. Using signatures and rules to detect known attack vectors is not enough, and has been for some time.
What happened with the LastPass breach?
The initial incident, which reportedly began in August 2022, saw hackers use stolen information from a compromised development environment to ultimately recover API tokens, MFA seeds, client keys and source code.
On August 25, 2022, Karim Toubba, CEO of LastPass, published a notice alerting users that suspicious activity had been detected in the company’s development environment.
“We have determined that an unauthorized party accessed portions of the LastPass development environment through a single compromised developer account and took possession of portions of LastPass’ source code and certain proprietary technical information. Our products and services are operating normally.
Although the company said no customer information or passwords had been compromised in September, Toubba issued a statement on November 30 warning that hackers had used information stolen in August to access its cloud storage service third party.
In December 2022, LastPass discovered that hackers could access LastPass customer account information as well as customer vault data backups.
The compromised data included “unencrypted data, such as website URLs, as well as fully encrypted sensitive fields, such as website usernames and passwords, secure notes, and form-filled data “.
Finally, in March 2023, LastPass revealed that the attackers had gained access to the personal device used by a senior DevOps engineer after apparently exploiting a vulnerability in their Plex Media software.
The hackers appeared to be looking for decryption keys they could use to access customer vaults they stole in November 2022.
It appears these activities were largely successful as the group continued to go on a rampage draining the crypto accounts of users affected by the breach years after the fact, highlighting the “long-tail effect” that breaches can to have.
