The hacker responsible for the huge LastPass breach in 2022 has continued their rampage by using stolen data to take $5.36 million from 40 crypto wallets.
The August 2022 hack saw the attacker gain access to information that allowed them to later successfully breach a cloud-based storage environment which stored customer keys, API tokens, multi-factor authentication (MFA) seeds, and encrypted password vaults.
While the password vaults were encrypted, the master password used to open them could still be brute forced if it was weak, reused, or previously leaked, which may be the reason for a string of crypto thefts against LastPass users since 2022.
The fallout continues
The latest theft is being linked to the LastPass breach by a blockchain expert known as ZachXBT. ZachXBT claims in a Telegram post this is just the latest in a long line of crypto thefts affecting victims of the LastPass breach, with $4.4 million being stolen in October 2023, and a further theft of $6.2 in February 2024.
The Verge previously reported between the time of the breach in August and December of 2022, over $35 million was stolen from 150 apparent victims of the LastPass breach.
These subsequent breaches of crypto wallets highlight the importance of using unique passwords for every single account, and ensuring that each password adheres to recommended password security standards by using one of the best password generators.
Even if you have changed your password manager provider since the LastPass breach, any compromised passwords that are still being reused are at risk, as evidenced by these crypto thefts. It is also recommended to use a strong authenticator app that uses biometric verification to secure your accounts even if an attacker knows your username and password.