A series of losses over the past few months have raised alarms among several security and crypto specialists. The leads the investigators are following suggest that hackers who stole encrypted password vaults from LastPass, a key management service that stores your information in the cloud, last year may have decrypted the way to access the stolen content.
In November 2022, LastPass reported that its platform had been compromised by hackers who confiscated safes with cryptographically encrypted passwords and in plain language by over 25 million users. Since then, some people have started losing cryptocurrency funds linked to keys stored in LastPass. Among them is John Doe, who sued LastPass for losing $53,000 in BTC in January this year, CriptoNoticias reported.
Little was known about the case since then until Taylor Monahan, MetaMask’s founder and CEO, began posting relevant information online linking the hack to a series of previously unsolved thefts. At least 150 people, according to Monahan, would have recently become victims of thefts of more than 1,200 BTC Together, they mean losses of more than 32 million US dollars.
On April 18th, Monahan identified a series of thefts since December of more than 5,000 ETH in the form of tokens, NFTs, and coins from 11 networks. Afterward, we revealed new insights through a series of posts on Platform X on August 28th.
On this occasion,,, he mentioned it More than 500 addresses were compromised, with a total value of more than $25 million. after you new According to the findings, each of the victims is said to have lost between $400,000 and $4 million (between July and August), which averages well above the average of the $50,000 robberies from December to April.
Whatcaught Monahan’s attention at the time was that the thefts appeared to be targeting long-time residents of the ecosystem. “The victim’s profile is still the most surprising,” wrote Monahan.
After analyzing the facts, Monahan found a common thread in the heist streak: LastPass. “I can also say with certainty at this point that in most of these cases, the compromised keys were stolen from LastPass,” assured the CEO and researcher.
“The number of victims who only had the specific set of seeds or or keys that were revoked stored in LastPass is just too large to ignore,” he added.
LastPass and endpoints
According to a KrebsOnSecurity report, several researchers agreed with Monahan’s analysis. Among them is Nick Bax, Unciphered’s head of research.
In fact, thanks to these independent investigations based on the data disclosed by Monahan, new victims were identified whose funds were withdrawn and exchanged on certain exchanges. Aside from that, they they they managed to identify a destination address. However, all refused to reveal this information, arguing that the attacker could move the funds and make it difficult to trace its activities.
According to the report, one of the identified victims, who lost millions of dollars, identified himself as an employee of Chainalysis, an analytics company that works with state security agencies to track down and identify cybercriminals. Chainalysis confirmed this fact, but the victim declined to comment.
Again, the commonality between these individuals and the multiple LastPass thefts is what the researchers see as the victims using the platform to protect their passwords in all cases.
The LastPass team did not comment on the data provided by the researchers but did provide a response to KrebOnSecurity: “Last year’s incident remains the subject of an ongoing investigation by the authorities and is also the subject of pending litigation.” Since last year’s attack on LastPass, we are and will continue to be in contact with the authorities.”
LastPass’s poor security measures
In later updates on the hack, LastPass informed its users that the attackers had access to users’ personal information and online vaults, as well as sensitive information about the LastPass software. Specific admitted the attack was aimed at a DevOps engineer who was one of four people who had access to the company’s vault.
In this context, Dan Goodin, senior editor at Ars Technica, announced that the attack was carried out via a known vulnerability in the Plex platform, a server for streaming audiovisual content. The attacker simply hadn’t updated to versions that contained a patch for the vulnerability, which provided the attacker with credentials and passwords for numerous users.
This is where LastPass security comes in. This company uses Master Passwords to select, remember, and autofill login information for each associated website. According to the company team, these passwords are so strong that even if a user loses their password, they cannot reset it.
However, according to experts cited by KrebOnSecurity, once criminals have access to the data in the vault, they no longer need to interact with the LastPass website because they can perform offline “brute force” attacks, which require the use of computing resources to try discovering the keys through millions of attempts per second.
LastPass has never required its users to update their keys
Incidentally, Vladimir Palant provided an explanation of the LastPass vulnerability in his blog post in December 2022, which may shed light on the hackers’ method.
According to Palant, a security researcher and the first developer of Adblock Plus, the ability of hackers to crack passwords depends on two factors: the complexity of the master key and the default settings that LastPass makes available to its users.
Over time, LastPass has had different configurations for its master keys. Before 2018, It only required 8 characters and a number of iterations, which today might be considered too small to evade a brute-force attack. They then increased the number of characters to 12, but never asked their oldest users to update their credentials to increase the level of security.
The default initial configuration for old users required between 1 and 500 iterations. In 2013, new LastPass customers received 5,000 iterations by default. LastPass changed the default value to 100 iterations in February 2018. And recently, that number has been increased again to 600,000.
The number of iterations is important because it determines how many attempts you must make to map a computer-generated key to an encrypted password.
The 2018 change was in response to a security bug report filed by Palant, which stemmed from some users having dangerously low iterations in their LastPass configuration. “For reasons unknown to me, LastPass did not complete this migration,” Palant wrote.
It would take a single GPU about a year to crack a password of average complexity with 500 iterations. and about 10 years to crack the same password and go through 5,000 iterations, Palant said. If an attacker has more computing power, for example, that of a mining farm, this time would, of course, be greatly reduced.
Unfortunately, the experience of hacking victims brought this LastPass bug to light. For this reason, Monahan recommends changing LastPass passwords immediately and migrating funds to other cryptocurrency wallets.
