Federal agents confirm LastPass breach linked to massive cryptocurrency heists

S

Skye Jacobs

Posts: 720   +15
Staff
What just happened? In a court filing earlier this month, U.S. federal agents confirmed that a series of high-profile cyberheists, including a $150 million cryptocurrency theft, are linked to the 2022 breach of password manager service LastPass. The heists involved cracking master passwords stolen from LastPass, which allowed thieves to access sensitive information, including cryptocurrency seed phrases stored in the "Secure Notes" section of victims' accounts, according to KrebsonSecurity, which has been tracking these incidents since September 2023.

The $150 million heist, which occurred on January 30, 2024, is believed to have targeted Chris Larsen, co-founder of the cryptocurrency platform Ripple, according to blockchain security researcher ZachXBT. Federal prosecutors in northern California have seized approximately $24 million in cryptocurrencies related to this theft.

According to the seizure document, the U.S. Secret Service and the FBI believe the attackers used stolen data from LastPass to access victims' accounts without authorization. This pattern is consistent with similar six-figure crypto heists, where victims had stored their cryptocurrency seed phrases in LastPass before the 2022 breaches.

Krebs says that security researchers Nick Bax and Taylor Monahan have been working with dozens of victims and found none experienced typical precursor attacks, such as email or mobile phone account compromises, or SIM-swapping attacks. Instead, all victims had stored their cryptocurrency seed phrases in LastPass's "Secure Notes" before the breaches. The heists followed a similar pattern of rapidly moving stolen funds to numerous drop accounts scattered across various cryptocurrency exchanges.

The breach of LastPass in 2022 involved two significant incidents. Initially, on August 25, 2022, LastPass CEO Karim Toubba announced that the company had detected unusual activity in its software development environment, resulting in the theft of some source code and proprietary technical information.

However, on September 15, 2022, LastPass stated that the investigation found no access to customer data or password vaults. This assessment changed on November 30, 2022, when LastPass disclosed that criminal hackers had compromised encrypted copies of some password vaults and other personal information using data stolen in the August breach.

This breach would have given thieves offline access to encrypted password vaults, allowing them to attempt to crack weaker master passwords using powerful systems capable of millions of guesses per second. Many victims had chosen master passwords with relatively low complexity and were among LastPass's oldest customers.

Legacy users were more likely to have master passwords protected with fewer iterations – the number of times a password is run through the company's encryption routines. The more iterations, the longer it takes an offline attacker to crack the master password. Over the years, LastPass increased the number of iterations for new users, requiring longer and more complex master passwords. However, researchers found that many older customers were not upgraded to these newer security standards.

Despite these findings, LastPass maintains no definitive proof linking the cyberheists to their breaches. The company says it has been cooperating with law enforcement and investing in enhanced security measures.

However, researchers have expressed concern that LastPass has not adequately alerted its customers about the potential risks, particularly sensitive information stored in "Secure Notes." They argue that more proactive measures could have prevented millions of dollars in thefts.

Bax noted that after issuing the initial warning, he hoped users would migrate their funds to new cryptocurrency wallets. However, the continued thefts show how much more needs to be done.

LastPass could have encouraged users to rotate their credentials and prevented further thefts but instead chose to deny the risks and blame the victims, Monahan said. The situation remains critical, with recent reports of additional thefts in December.

Permalink to story:

Federal agents confirm LastPass breach linked to massive cryptocurrency heists

 
"... used stolen data from LastPass to access victims' accounts without authorization."
Um, I think when the authorisation keys are stolen and then used to access an account, that would be *with* authorisation.
 
  • Like
Reactions: Hotlynx16, fb020997 and 0dium
This is exactly why I NEVER store my credentials in the cloud. *Never* period.
I use Sticky Password that has an option to synchronize your data in the cloud using your main pass phrase, but I always disable it, and instead, I copy databases between machines. This is more of a pain, but at least, my data is not in the open.
When will people understand that if it is in the cloud, it is somewhat vulnerable?
 
  • Like
Reactions: Hotlynx16, bwbeam and ZedRM
Storing your credentials with a password manager in the cloud is absolutely safe, and absolutely better than storing them on a paper notebook.

I have hundreds of secrets, personal, work, family etc that I store in my digital vault. Many of these are long scrambled strings that would be highly impractical to type by hand and guess. As passwords should be. If you rely on a paper notebook you're far more likely to write short easy to guess passwords.

Lastpass was compromised due to their own stupidity because they failed to apply best practices:

- They didn't upgrade older customers to stronger encryption.
- They stored some parts of the vault in plain text. e.g. the username would be plain text and only the password encrypted. I still can't understand why in the world they would do this.
- They didn't have proper protocols in place to guard their vault backups. This is how the breach happened, they stole the backups because they were not handled securely.

Yes you should use a password manager. No you should not use Lastpass.
 
  • Like
Reactions: disinfect8280
Lowhangingfruit said:
Storing your credentials with a password manager in the cloud is absolutely safe, and absolutely better than storing them on a paper notebook.

I have hundreds of secrets, personal, work, family etc that I store in my digital vault. Many of these are long scrambled strings that would be highly impractical to type by hand and guess. As passwords should be. If you rely on a paper notebook you're far more likely to write short easy to guess passwords.

Lastpass was compromised due to their own stupidity because they failed to apply best practices:

- They didn't upgrade older customers to stronger encryption.
- They stored some parts of the vault in plain text. e.g. the username would be plain text and only the password encrypted. I still can't understand why in the world they would do this.
- They didn't have proper protocols in place to guard their vault backups. This is how the breach happened, they stole the backups because they were not handled securely.

Yes you should use a password manager. No you should not use Lastpass.
Click to expand...
"Storing your credentials with a password manager in the cloud is absolutely safe...", then a few lines down "... lastpass was compromised due to their own stupidity because they failed to apply best practices".
So, storing your credentials in the cloud is *NOT* safe. You can never be sure that the company you trust with keeping your stuff applies "best practices", and you can *never* bet on an exploit not being discovered, even when "best practices" have been implemented. If it is not on your machine, you do not control it anymore, period.
 
  • Like
Reactions: Resonator, bwbeam and Theinsanegamer
The Talking Tech said:
A system sole purpose to protect people's passwords is the main reason their passwords got leaked.

It goes to show that it you don't want your passwords to be out there, just write them on a piece of notebook and keep them in a safe in your own home.
Click to expand...
...or use a local password manager like Keepass, or a text file encrypted in a Veracrypt container, but losing the auto filling feature of password managers and the search function.
 
Lowhangingfruit said:
Storing your credentials with a password manager in the cloud is absolutely safe, and absolutely better than storing them on a paper notebook.

I have hundreds of secrets, personal, work, family etc that I store in my digital vault. Many of these are long scrambled strings that would be highly impractical to type by hand and guess. As passwords should be. If you rely on a paper notebook you're far more likely to write short easy to guess passwords.

Lastpass was compromised due to their own stupidity because they failed to apply best practices:

- They didn't upgrade older customers to stronger encryption.
- They stored some parts of the vault in plain text. e.g. the username would be plain text and only the password encrypted. I still can't understand why in the world they would do this.
- They didn't have proper protocols in place to guard their vault backups. This is how the breach happened, they stole the backups because they were not handled securely.

Yes you should use a password manager. No you should not use Lastpass.
Click to expand...
If you put your passwords on someone else's server, you are putting your trust in other people. I dont trust other people, for good reason.

How many password managers have to be hacked for people to get it?
 
  • Like
Reactions: Hotlynx16
No problem putting passwords in cloud if that is NOT your password , ie it's a seed to generate your actual password
 
StrikerRocket said:
"Storing your credentials with a password manager in the cloud is absolutely safe...", then a few lines down "... lastpass was compromised due to their own stupidity because they failed to apply best practices".
So, storing your credentials in the cloud is *NOT* safe. You can never be sure that the company you trust with keeping your stuff applies "best practices", and you can *never* bet on an exploit not being discovered, even when "best practices" have been implemented. If it is not on your machine, you do not control it anymore, period.
Click to expand...


I'm guessing you also don't use banks, direct deposits from your job, health insurance, or any on of the other thousand services we interact with everyday that do 100% of their business in the cloud.

Lastpass was a **** company. I was one of their customers and I'm furious at the gross negligence that was revealed by this breach. Yes you shouldn't blindly trust any company, but some companies have shown themselves to be more trustworthy than others. I feel my data is safe, and conveniently available for myself and my wife whether we are home or not. YMMV.
 
I have a few important passwords that I don't trust to anything. I keep those written down in case I forget one. And, yes, I hand enter them on each use. The other hundreds I'm happy to let the web-browser remember for me.
 
  • Like
Reactions: Hotlynx16
StrikerRocket said:
This is exactly why I NEVER store my credentials in the cloud. *Never* period.
I use Sticky Password that has an option to synchronize your data in the cloud using your main pass phrase, but I always disable it, and instead, I copy databases between machines. This is more of a pain, but at least, my data is not in the open.
When will people understand that if it is in the cloud, it is somewhat vulnerable?
Click to expand...
No one should never store credentials on an internet connected computer(or computing device). Seriously? Who does that?... oh right... people who don't think passed the end of their nose and enjoy being ripped off.
 
Lowhangingfruit said:
I'm guessing you also don't use banks, direct deposits from your job, health insurance, or any on of the other thousand services we interact with everyday that do 100% of their business in the cloud.

Lastpass was a **** company. I was one of their customers and I'm furious at the gross negligence that was revealed by this breach. Yes you shouldn't blindly trust any company, but some companies have shown themselves to be more trustworthy than others. I feel my data is safe, and conveniently available for myself and my wife whether we are home or not. YMMV.
Click to expand...
There is no point comparing thoses companies to one that you entrust your credentials with. Those credentials give access to those companies you mention, as if it was YOU connecting to the services and doing business with them. Besides, as far as insurance and banks are concerned, I, in France, do NOT have the choice. I HAVE to use them, *no* direct deposits from your job in France, you are *required* to have a bank account..., so... and if a mistake is made at the bank or insurance, they are required to make it right by law as long as I am not responsible. Anyway, laws are made for scammers. In France my ISP got hacked by a 16 y.o hacker who stole bank IBANs and information from more than 20 million subscribers, and my data is now in the open, and there is nothing I can do, and they are not even sued for this! Each individual is required to file a complaint, if he thinks it appropriate, although the law requires ISPs to "implement every technical solution at their disposal" to secure the data! They did not, they stored the data UNENCRIPTED on their servers, and the authorities are not even moving a finger to make things right!
The long records of such cases show that companies making money more or less ALWAYS get complacent and negligent, as the incentives and laws not to be are way too lenient, all in the name of business, of course. Who are we, little customers/citizens to demand security for our data and our lives, because that's what it all comes down to in the end!
How come Lastpass is still in business?
 
StrikerRocket said:
There is no point comparing thoses companies to one that you entrust your credentials with. Those credentials give access to those companies you mention, as if it was YOU connecting to the services and doing business with them. Besides, as far as insurance and banks are concerned, I, in France, do NOT have the choice. I HAVE to use them, *no* direct deposits from your job in France, you are *required* to have a bank account..., so... and if a mistake is made at the bank or insurance, they are required to make it right by law as long as I am not responsible. Anyway, laws are made for scammers. In France my ISP got hacked by a 16 y.o hacker who stole bank IBANs and information from more than 20 million subscribers, and my data is now in the open, and there is nothing I can do, and they are not even sued for this! Each individual is required to file a complaint, if he thinks it appropriate, although the law requires ISPs to "implement every technical solution at their disposal" to secure the data! They did not, they stored the data UNENCRIPTED on their servers, and the authorities are not even moving a finger to make things right!
The long records of such cases show that companies making money more or less ALWAYS get complacent and negligent, as the incentives and laws not to be are way too lenient, all in the name of business, of course. Who are we, little customers/citizens to demand security for our data and our lives, because that's what it all comes down to in the end!
How come Lastpass is still in business?
Click to expand...

Chatgtp bot.. work on your formatting..
 
The bigger the target repository the bigger the drive to breach it. What did you *****S expect!?

*****s :: "Let us store all the keys to our lives in one location.. should be fine. Oh and who needs 2FA or 3FA?"

 
“Secure Notes” was a bold name for a feature that apparently stored passwords like a glass safe in a bank lobby.
 
The Talking Tech said:
A system sole purpose to protect people's passwords is the main reason their passwords got leaked.

It goes to show that it you don't want your passwords to be out there, just write them on a piece of notebook and keep them in a safe in your own home.
Click to expand...
They wouldn't able to get into accounts with 2FA enabled via FIDO keys or Biometrics, even if they know the master password. This is why it is very important to use 2FA anywhere they it is available.
 
The $150 million heist, which occurred on January 30, 2024, is believed to have targeted Chris Larsen, co-founder of the cryptocurrency platform Ripple, according to blockchain security researcher ZachXBT. Federal prosecutors in northern California have seized approximately $24 million in cryptocurrencies related to this theft.
Click to expand...
I am not sure why someone would want to store critical information about their crypto accounts (particularly with such high monetary value) on a public site that could be breached or simply go bankrupt and shutdown abruptly. I would have stored that info in 2 separate safe deposit boxes at 2 separate banks for security and redundancy.
 
Last edited:
You must log in or register to reply here.

Similar threads

S
Inside job at Coinbase leads to massive data breach, $20 million ransom demanded
Replies
8
Views
318
jam4t
J
A
Are 16 billion compromised passwords really part of a newly discovered data breach?
Replies
2
Views
81
umeng2002
umeng2002
S
Kuwait declares cryptocurrency mining illegal amid power crisis crackdown
Replies
23
Views
548
hahahanoobs
hahahanoobs

Latest posts

Back