September 8, 2023

Security experts are warning LastPass users that their passwords may have been used in a string of cryptocurrency thefts.

The experts say that hackers have cracked open some of the password vaults stolen during a security breach at LastPass in late 2022. This has allowed them to access the “seed phrases” of victims, which are private digital keys that are required to access cryptocurrency investments.

Collectively, over $35 million in crypto has reportedly been stolen so far. The thefts have occurred in batches of two to five high-value heists each month since December 2022.

Taylor Monahan, lead product manager at MetaMask, is at the forefront of the investigation. She observes that the victims’ link is not only their reliance on LastPass but also the suspicious movement of stolen funds to identical blockchain addresses. Nick Bax, director of analytics at Unciphered, echoes Monahan’s concerns, urging LastPass users to take action, emphasizing the gravity of the situation.

The common thread connecting the victims is that they had previously used LastPass to store their seed phrases. These keys are often stored on encrypted services like password managers to prevent bad actors from gaining access to crypto wallets.

LastPass has not confirmed whether any of the stolen password vaults have been cracked. However, the company says that it is “aware of the reports” and is “investigating the matter.”

The sources for this piece include an article in TheVerge.