LastPass hackers drained $12.4m ETH from 100+ wallets: ZachXBT

The 2022 LastPass data breach has allowed threat actors to steal 12.38 million from users in a new attack.

According to blockchain sleuth ZachXBT, the LastPass hackers stole millions in Ethereum (ETH) from over 100 wallet addresses between Dec. 16 and Dec. 17. The criminals quickly swapped the ill-gotten wealth from ETH to Bitcoin (BTC), using multiple instant exchanges. A list of affected addresses may be found here.

LastPass is a password management service for securing cryptocurrency wallets. The startup suffered two hacks in 2022 – once in August and again in October – resulting in unauthorized access to customer keys, API tokens, multi-factor authentication seeds, and other sensitive security information.

In January 2023, users slapped LastPass with a class action lawsuit. The complaint alleged the provider failed to protect user data, and adopted lax security protocols.

Turbulent times persisted for the company as bad actors leveraged stolen data to execute staggered crypto heists. A crypto holder blamed LastPass for a $50,000 theft in April 2023, per crypto.news reporting. Later in October, 25 victims lost $4.4 million to wallet drainers. LastPass again came under fire for the breach.

The latest incident raised questions about future LastPass-tied attacks, since criminals continued to leverage info stolen in 2022. It also reminded the larger crypto community of existing security threats. 

MetaMask developer Taylor Manohan urged users to migrate funds to new wallets if they’ve used LastPass before. A white hat coalition called Security Alliance, or SEAL ORG, also notified users that crypto assets may be at risk if action isn’t taken.