After the LastPass breach in November 2022, where hackers pilfered password vaults affecting over 25 million users, the tech community has been on high alert. Recent spikes in cryptocurrency thefts have raised eyebrows, leading experts to believe that hackers might be decrypting stolen LastPass vaults.
The Link Between LastPass and Crypto Thefts
Taylor Monahan, the lead product manager of MetaMask, has been investigating this issue. Since December 2022, Monahan and her team have identified patterns linking thefts that have collectively amounted to over $35 million in stolen crypto from more than 150 individuals.
Interestingly, the victims, predominantly long-term cryptocurrency investors, didn’t exhibit signs of typical pre-heist attacks, such as email or mobile phone compromises. Monahan emphasized the security-conscious nature of these victims, many of whom are deeply embedded in the crypto ecosystem.
The Common Thread: LastPass
Monahan’s research, shared extensively on Twitter since March 2023, initially struggled to find a common denominator among the victims. However, by August 28, she identified a recurring theme: nearly every victim had stored their cryptocurrency “seed phrase” on LastPass.
This seed phrase is a critical component for crypto investors. Possession of this phrase allows anyone to access and transfer associated cryptocurrency holdings. While many cybersecurity enthusiasts store their seed phrases in encrypted containers like password managers or offline devices like Trezor or Ledger wallets, the breach has exposed the potential vulnerabilities of such practices.
The Intricacies of the Investigation
Nick Bax from Unciphered collaborated with Monahan on this investigation. Describing it as one of the most extensive and intricate cryptocurrency investigations he’s witnessed, Bax confirmed Monahan’s findings. The stolen funds from various victims often ended up in the same blockchain addresses, strengthening the link between the thefts.
However, out of respect for ongoing research, specific details about the thefts remain undisclosed to the public. Still, the researchers have shared insights about the similarities in how the stolen funds were moved and laundered.
The Importance of Password Iterations
A chart on Palant’s blog post offers an idea of how increasing password iterations dramatically increases the costs and time needed by the attackers to crack someone’s master password. Palant said a single GPU would take about a year to crack a password of average complexity with 500 iterations, and about 10 years to crack the same password run through 5,000 iterations.
However, these numbers decrease radically when a determined adversary also has other large-scale computational assets at their disposal, such as a bitcoin mining operation that can coordinate the password-cracking activity across multiple powerful systems simultaneously.
Victim Profiles and Testimonies
One of the victims, referred to as “Connor” for anonymity, shared his experience of losing approximately $3.4 million in various cryptocurrencies. A software engineer and startup founder, Connor had stored his seed phrase on LastPass and used an eight-character master password. He noticed rapid unauthorized transactions from his crypto accounts early one morning.
Connor’s story is not unique. Many victims had similar experiences, with the only commonality being their use of LastPass to store seed phrases.
The LastPass Breaches: A Timeline
LastPass’s journey through these security challenges began on August 25, 2022, when they detected unusual activity. Initially, they assured users that no customer data or password vaults were accessed. However, by November 30, 2022, a more severe security incident was disclosed, revealing that hackers had accessed encrypted password vaults and other personal data.
Further revelations in February 2023 exposed a targeted attack against a specific LastPass employee, leading to the compromise of the corporate vault.
The Implications for LastPass Users
Given the gravity of the situation, Taylor Monahan of MetaMask advises LastPass users, especially those with cryptocurrency-related passwords, to change their credentials immediately. She also recommends migrating crypto holdings to new offline hardware wallets.
The Debate on Password Managers
The LastPass breach has reignited the debate on the safety of password managers. While some experts argue for the convenience and security they offer, others, like the author, prefer traditional methods like writing down passwords and storing them securely.
However, for those still inclined towards password managers, alternatives like 1Password, which employs a different encryption mechanism, might be worth considering.
While the direct link between the LastPass breach and the crypto thefts remains a topic of debate, the evidence is compelling. As the crypto world continues to evolve, so too do the threats against it. Ensuring the security of assets, especially in digital form, remains paramount.