Federal agents confirm LastPass breach linked to massive cryptocurrency heists

In a court filing earlier this month, U.S. federal agents confirmed that a series of high-profile cyberheists, including a $150 million cryptocurrency theft, are linked to the 2022 breach of password manager service LastPass. The heists involved cracking master passwords stolen from LastPass, which allowed thieves to access sensitive information, including cryptocurrency seed phrases stored in the Secure Notes section of victims' accounts, according to KrebsonSecurity, which has been tracking these incidents since September 2023.The $150 million heist, which occurred on January 30, 2024, is believed to have targeted Chris Larsen, co-founder of the cryptocurrency platform Ripple, according to blockchain security researcher ZachXBT. Federal prosecutors in northern California have seized approximately $24 million in cryptocurrencies related to this theft.According to the seizure document, the U.S. Secret Service and the FBI believe the attackers used stolen data from LastPass to access victims' accounts without authorization. This pattern is consistent with similar six-figure crypto heists, where victims had stored their cryptocurrency seed phrases in LastPass before the 2022 breaches.Krebs says that security researchers Nick Bax and Taylor Monahan have been working with dozens of victims and found none experienced typical precursor attacks, such as email or mobile phone account compromises, or SIM-swapping attacks. Instead, all victims had stored their cryptocurrency seed phrases in LastPass's Secure Notes before the breaches. The heists followed a similar pattern of rapidly moving stolen funds to numerous drop accounts scattered across various cryptocurrency exchanges.

The breach of LastPass

The breach of LastPass in 2022 involved two significant incidents. Initially, on August 25, 2022, LastPass CEO Karim Toubba announced that the company had detected unusual activity in its software development environment, resulting in the theft of some source code and proprietary technical information.However, on September 15, 2022, LastPass stated that the investigation found no access to customer data or password vaults. This assessment changed on November 30, 2022, when LastPass disclosed that criminal hackers had compromised encrypted copies of some password vaults and other personal information using data stolen in the August breach.