Small scoop here: In November 2022, the password manager service LastPass disclosed a breach in which hackers stole password vaults containing both encrypted and plaintext data for more than 25 million users. Since then, a steady trickle of six-figure cryptocurrency heists targeting security-conscious people throughout the tech industry has led some security experts to conclude that crooks likely have succeeded at cracking open some of the stolen LastPass vaults.
"...the researchers learned the attackers frequently grouped together victims by sending their cryptocurrencies to the same destination crypto wallet.
By identifying points of overlap in these destination addresses, the researchers were then able to track down and interview new victims. For example, the researchers said their methodology identified a recent multi-million dollar crypto heist victim as an employee at Chainalysis, a blockchain analysis firm that works closely with law enforcement agencies to help track down cybercriminals and money launderers.
Chainalysis confirmed that the employee had suffered a high-dollar cryptocurrency heist late last month, but otherwise declined to comment for this story."
Here's the tl;dr if you're a current or former LastPass user and haven't yet changed your important credentials that were in there late last year, it's time to do that NOW.
According to MetaMask’s Monahan, users who stored any important passwords with LastPass — particularly those related to cryptocurrency accounts — should change those credentials immediately, and migrate any crypto holdings to new offline hardware wallets.
“Really the ONLY thing you need to read is this,” Monahan pleaded to her 70,000 followers on Twitter/X: “PLEASE DON’T KEEP ALL YOUR ASSETS IN A SINGLE KEY OR SECRET PHRASE FOR YEARS. THE END. Split up your assets. Get a hw [hardware] wallet. Migrate. Now.”
If you also had passwords tied to banking or retirement accounts, or even just important email accounts — now would be a good time to change those credentials as well.
im good. took 5 hours changed 98% of all my passwords and security questions. back wehn it all happen
but they must be making progress as my old spam email from lastpass is getting a ton of emails trying to trick me associated with lastpass from accounts i changed passwords to.
@briankrebs luckily I don't have any cryptocurrency accounts, changed all the sensitive passwords (and have MFA/2FA setup on them all) a while back, and just migrated off LastPass to Strongbox (KeepPassXC).
@briankrebs I am sorry, but their logic at the most basic level is extremely flawed. Since there is no social contract connected to their "assets", their identity doesn't matter when things go wrong. It then becomes a variation of the computerized voting / electronic ballot conundrum: Anonymous high-stakes transactions are extremely vulnerable to theft and tampering. There is no quick or slow fix for that.
But hey cryptobugs, buy the techno-tinctures, split your assets and do your digital calisthenics. You see? We have nice, simple nostrums we'll keep repeating, because we are the Church of Computers Can Do Anything Any Way We Want (because the pretty clicky icons and line-go-up hype says we can).
A fundamentally new type of computer with software stack to match might possibly change that situation. But what I'm seeing from the cultists are a bunch of impressive-sounding but misapplied measures like the tech found in hardware wallets (which might as well be called "speed bumps").
@briankrebs when my email provider decided to shut their entire email service, I was pleased to have LastPass to migrate 325 accounts.
Now I'm going to have to do it all again (but probably not using LastPass)
@briankrebs here's the killer, at least for me: LastPass had turned to feces as far are usability and reliability, the breaches merely reflect neglect of the product and further contempt of the customer.
"“I know exactly as much as everyone else,” Palant wrote in reply. “LastPass published some additional information in March. This finally answered the questions about the timeline of their breach – meaning which users are affected. It also made obvious that business customers are very much at risk here, Federated Login Services being highly compromised in this breach (LastPass downplaying as usual of course).”
I've never boosted my own toot here (jeez, when you say that out loud it sounds pretty funny).
Anyway, is that the best way to re-up a post that needs to stay on in peoples' feeds for a few days? Or is boosting your own stuff off-putting in some way?
Seems like a lot of people here probably need to read this story and take action. Grateful for everyone who has boosted this already! Thank you!
@briankrebs "boosting my toot" is very weird out loud. I have found the same. I'm not sure why it's not more common to say "ReToot" or “I RePosted”. Generic words are good.
@briankrebs I've seen a lot of people boost their own stuff (and done it occasionally myself). I think it's fairly acceptable as long as you don't re-boost the same post too often.
@briankrebs Think it is just fine. Often reboot tips so that people who might have missed them the first time get another chance to see them. Never have gotten any criticism for doing so.
@briankrebs I've wondered this exact thing too. Like others say, it seems to be fine. It's certainly fine with me.
As a reader, I only see posts made when (or within an hour before) I'm here, i.e. I don't read many posts made when I'm not actively using the app. I doubt many users read their entire feed. Thus, it's good to reboost important posts.
@briankrebs No idea what the actual netiquette here is, and I'm sure people will weigh in. My personal feeling is boosting your own stuff for the information content is fine. Boosting it as self-promotion or to sell something: not fine.
@briankrebs I see it as a good thing to boost self posts, particularly for people in other timezones. Boosting after 12 hours for example could make it show up for those of us who can't go back a whole day each time we login due to the number of people and hashtags we follow.
And, don't forget boosting your replies to interesting posts from other people that you want to get in front of more eyes. I tend to put in a ⬆️ when I do this.
@briankrebs As a long time (12+ yrs) Lastpass user and once die-hard fan, the thing that gets me the angriest is to shockingly learn that only the passwords were encrypted, and the entire rest of my Vault wasn't. This includes not just the associated URLs (thereby directing hackers where to focus their efforts) but the Notes field as well. I would keep all sorts of sensitive into there under the assumption that, well, it's in the "vault". But it seems that "vault" is to Lastpass what "self-driving" is to Tesla: ie, a term that exposes you to great risk if you take it mean what it literally means.
@briankrebs When that happened, I spend 2 solid days changing every single password. On the plus side, my passwords are way more secure than they were, but it was an intense slough. I'm not sure why anyone would wait, it's just a matter of time before those vaults are opened.
@briankrebs I consider myself very fortunate that I moved from LP to Bitwarden a few months before this occurred. Can’t imagine the headache LP users had to go thru to change every password in their accounts
There's no doubt that, aside from the criminals, LastPass is the one to blame for this mess - their breach notifications heavily downplayed the danger of stolen vaults.
Still I wonder why so many "security minded people" did not do a pre-emptive changing of passwords and moving of funds when the breach(es) were made public.
@zeljkazorz Changing your passwords is a little more straightforward than changing the seed phrase that may interact with multiple crypto wallets. You can't change the seed phrase. You have to migrate everything to new wallets, and moving funds is not free (there are gas fees etc), and it generally takes effort.
@briankrebs I know. But would you rather pay the fees or risk losing millions?
But my guess is that when you're high-flying, it's difficult to make time for these things.. This is not a task you can delegate without opening yourself to additional risk.
@briankrebs It's difficult to feel any sympathy for people gulled by the Ponzi scheme that is crypto. Yes, data breaches are serious, but when the selling point behind the scheme is "get-rich-quick" grift, well, my sympathies just dry up.
@CdnCurmudgeon I get that sentiment. However, a number of people impacted were early backers of both LP and crypto, not people who jumped on the bandwagon a few years ago.
@briankrebs I always found "insane" the idea to have "a password manager/wallet/whatever" ON SOMEBODY'S ELSE SERVER .. apart it's the classic "all eggs in one basket" what if that basket breaks/falls ? You loose everything ?
@briankrebs Now I do wonder it that is the same six-figure coin stash media here suspects to be of BlackRock making, as in them preparing for upcoming SEC regulation changes. Probably though that is just an easier story to sell, and omits inconvenient truth.
(1) The people in charge at LastPass are just buffoons. They've had so many second chances, and they just keep screwing up. They're simply not capable of making a secure password manager and no one should use their product again ever.
(2) Cloud storage for a password manager is just a fundamentally bad idea. Something is inevitably going to go wrong. And this is what happens when it does.
I'm skeptical about low iterations on the KDF being the culprit here. Sure, having low KDF iterations like this really bad -- like "comically negligent" kinda bad. But I'd assume that these sophisticated victims ought to have strong enough LastPass master passwords to survive brute force regardless of the KDF iterations. I'm thinking there's something cryptoanalytic at play here -- a padding oracle or a dumb AES mode or dumb IV reuse or something. I'm flagging @matthew_d_green who actually knows about this stuff and might have a better idea.
@briankrebs Use Bitwarden. Can self host it even. Quality FOSS. LastPass offers no advantage over it at all (fully cross-platform, and cross browser support and autofill as desired)
@briankrebs so this guy in the article. Works with crypto. Had lots of crypto. Kept his junk in a cloud solution. Knew the cloud solution was hacked. And still did figure out he needs to change his passwords?
Add comment