A 2022 data breach affecting password storage software LastPass has continued to impact victims, with at least 25 individuals losing $4.4 million in cryptocurrency across 80 wallets. The breach, which was disclosed in December 2022, involved an attacker leveraging previously stolen information to target a LastPass employee. This led to the theft of credentials and decrypted customer data.
In a September report, it was revealed that over $35 million in cryptocurrency had been stolen from around 150 victims as a result of cracked customer vaults. LastPass faced a class-action lawsuit in January, with victims claiming around $53,000 worth of Bitcoin was stolen during the August 2022 breach.
Pseudonymous on-chain researcher ZachXBT and MetaMask developer Taylor Monahan have been tracking the movements of funds from compromised wallets. The victims were primarily longtime LastPass users who had stored their crypto wallet keys or seeds within the platform.
In response to the ongoing security concerns, ZachXBT strongly advised anyone who had ever stored wallet seeds or private keys in LastPass to promptly transfer their crypto assets to a more secure location.