In September 2023, I published a story about extensive research suggesting that thieves who'd obtained a copy of the encrypted LastPass vaults that were exposed in a 2022 data breach were successfully cracking access to some LastPass accounts, leading ...
-
In September 2023, I published a story about extensive research suggesting that thieves who'd obtained a copy of the encrypted LastPass vaults that were exposed in a 2022 data breach were successfully cracking access to some LastPass accounts, leading to a significant number of 7-figure+ cryptocurrency thefts.
https://krebsonsecurity.com/2023/09/experts-fear-crooks-are-cracking-keys-stolen-in-lastpass-breach/
In the past week, the talented crypto crime researcher ZachXBT walked through how thieves have stolen another $5.36M from over 40 different crypto wallet addresses recently, and why it was likely tied to the LastPass breach.
In response to media coverage of ZachXBT's research, LastPass issued a statement that basically said all of the researchers who've connected high-dollar thefts to the LastPass breach are somehow barking up the wrong tree:
"A year has passed since initial claims surfaced alleging a link between certain cryptocurrency thefts and the 2022 LastPass security incidents,” LastPass Chief Secure Technology Officer Christofer Hoff said. “In that time, LastPass has investigated these claims and to date is not aware of any conclusive evidence that directly connects these crypto thefts to LastPass. Because we take any claims regarding the security of LastPass and our customers seriously, we continue to invite any security researchers who believe they may have evidence to contact the LastPass Threat Intelligence team.”
Taylor Monahan, lead product manager at MetaMask, is one of the researchers who's been most vocal about the apparent fallout from the LastPass breach. Tay's responses over on Hellsite to the LastPass statement are scathing.
-
@briankrebs This would be the _single round_ hashed somewhat bad Master password users I assume though*? Those should indeed be bruteforceable.
Somewhat surprised users didn't understand that when LastPass did communicate about the single round hashing etc - they could've just moved their crypto to another seed
I know someone in cybersec who has on purpose left some small amounts of bitcoin in a wallet where the seed existed in their LastPass account at the time. Those coins are still there - but the user had a strong Master password.
*) if my memory serves me right
-
@troed the victims i interviewed for that story all had used LP to store their crypto seed phrase, all had low number of iterations for their pwd hash, and had relatively low-entropy passwords.
