Federal agents confirm LastPass breach linked to massive cryptocurrency heists

What simply occurred? In a court docket submitting earlier this month, U.S. federal brokers confirmed {that a} sequence of high-profile cyberheists, together with a $150 million cryptocurrency theft, are linked to the 2022 breach of password supervisor service LastPass. The heists concerned cracking grasp passwords stolen from LastPass, which allowed thieves to entry delicate info, together with cryptocurrency seed phrases saved within the “Safe Notes” part of victims’ accounts, in keeping with KrebsonSecurity, which has been monitoring these incidents since September 2023.

The $150 million heist, which occurred on January 30, 2024, is believed to have focused Chris Larsen, co-founder of the cryptocurrency platform Ripple, in keeping with blockchain safety researcher ZachXBT. Federal prosecutors in northern California have seized roughly $24 million in cryptocurrencies associated to this theft.

Based on the seizure doc, the U.S. Secret Service and the FBI imagine the attackers used stolen information from LastPass to entry victims’ accounts with out authorization. This sample is per comparable six-figure crypto heists, the place victims had saved their cryptocurrency seed phrases in LastPass earlier than the 2022 breaches.

Krebs says that safety researchers Nick Bax and Taylor Monahan have been working with dozens of victims and located none skilled typical precursor assaults, comparable to electronic mail or cell phone account compromises, or SIM-swapping assaults. As an alternative, all victims had saved their cryptocurrency seed phrases in LastPass’s “Safe Notes” earlier than the breaches. The heists adopted the same sample of quickly shifting stolen funds to quite a few drop accounts scattered throughout varied cryptocurrency exchanges.

The breach of LastPass in 2022 concerned two important incidents. Initially, on August 25, 2022, LastPass CEO Karim Toubba introduced that the corporate had detected uncommon exercise in its software program improvement surroundings, ensuing within the theft of some supply code and proprietary technical info.

Nonetheless, on September 15, 2022, LastPass acknowledged that the investigation discovered no entry to buyer information or password vaults. This evaluation modified on November 30, 2022, when LastPass disclosed that felony hackers had compromised encrypted copies of some password vaults and different private info utilizing information stolen within the August breach.

This breach would have given thieves offline entry to encrypted password vaults, permitting them to try to crack weaker grasp passwords utilizing highly effective programs able to tens of millions of guesses per second. Many victims had chosen grasp passwords with comparatively low complexity and had been amongst LastPass’s oldest prospects.

Legacy customers had been extra prone to have grasp passwords protected with fewer iterations – the variety of instances a password is run by means of the corporate’s encryption routines. The extra iterations, the longer it takes an offline attacker to crack the grasp password. Over time, LastPass elevated the variety of iterations for brand spanking new customers, requiring longer and extra complicated grasp passwords. Nonetheless, researchers discovered that many older prospects weren’t upgraded to those newer safety requirements.

Regardless of these findings, LastPass maintains no definitive proof linking the cyberheists to their breaches. The corporate says it has been cooperating with regulation enforcement and investing in enhanced safety measures.

Nonetheless, researchers have expressed concern that LastPass has not adequately alerted its prospects in regards to the potential dangers, significantly delicate info saved in “Safe Notes.” They argue that extra proactive measures may have prevented tens of millions of {dollars} in thefts.

Bax famous that after issuing the preliminary warning, he hoped customers would migrate their funds to new cryptocurrency wallets. Nonetheless, the continued thefts present how rather more must be performed.

LastPass may have inspired customers to rotate their credentials and prevented additional thefts however as a substitute selected to disclaim the dangers and blame the victims, Monahan mentioned. The scenario stays vital, with current experiences of extra thefts in December.