LastPass logo

LastPass users should move their crypto funds, experts warn

Several experts have warned LastPass users who store cryptocurrency-related login information in their vaults to change that login information as soon as they can.

Apparently, cybercriminals who have access to the stolen information are making it a priority to decrypt the data in an attempt to access to cryptowallets and online accounts.

Responders.nu tweet

The breach

According to LastPass, an unknown attacker accessed a cloud-based storage environment using information obtained in LastPass’ August 2022 breach. Some of the stolen source code and technical information were used to target another LastPass employee, allowing the attacker to obtain credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service.

Unencrypted data

As we mentioned in an earlier post about the LastPass breach, part of the stolen data was not encrypted. The unencrypted data included URLs, which could act as a pointer for the attacker to figure out which accounts deserve their attention. For example, if someone has stored their login credentials to Blockchain.com or any other crypto services platform in LastPass, the threat actor will be able to see the URL to that platform and then can choose to prioritize the attempts to decrypt that information.

Decrypt

At this point it is unclear whether the attacker tries to decrypt the master password of these interesting accounts, or the crypto-related login credentials, but it is likely they will try both. And because they have stolen copies of the vaults, they have an unlimited amount of time to keep trying.

Secret keys

If your secret keys were in the stolen data, simply changing your passwords will not be enough. With a secret key you can prove ownership of a blockchain address, which means you can change all the other information associated with that address. The password, the recovery email, etc—everything a threat actor needs to drain the account.

This is why the tweet by Responders.nu (a Dutch Incident Response cybersecurity firm) says that you will have to move your funds to a different account.

Changing your LastPass master password and enabling 2FA is good, but it does not help in a case where attackers have a copy of your vault, because they can access the copy at all times. Once they crack your master password, they will be able to see everything you stored in that vault in plaintext, and they’ll have plenty of time to use brute force attacks to decrypt the encrypted data.

We realize that opening new accounts and transferring funds to them is time-consuming and costly, but it is certainly better than waking up to a drained account.

Class action

A “John Doe” class-action lawsuit has been filed against LastPass following the August 2022 data breach. The class action was filed with the United States district court of Massachusetts on January 3 by an unnamed plaintiff (John Doe) and on behalf of others similarly situated. Allegedly the data breach of LastPass has resulted in the theft of around $53,000 worth of Bitcoin.

We have reached out to LastPass, but it has not returned our request for comment. We will keep you posted about any developments here.


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.