At the end of last year, LastPass allegedly lost data from some of its password vaults in a breach. And every month since December 2022, at least a few big six-figure cryptocurrency thefts have occurred, all of which seem to have ties to the LastPass breach. According to new research, “nearly every victim” had used LastPass.
All told, the money lost to all these crypto thefts totaled more than $35 million, across more than 150 victims.
Here’s how it went wrong, and how you can keep your own cryptocurrency wallet from going up in smoke.
The LastPass Breach Timeline
In 2022, LastPass suffered two major breaches that we know about: One breach in August that didn’t result in any customer data lost and one breach in November that relied on the use of company information taken in the first breach.
We don’t know the full impact of the November breach. LastPass CEO Karim Toubba says this breach remains “the subject of an ongoing investigation by law enforcement and is also the subject of pending litigation,” in a recent statement to The Verge.
This just in! View
the top business tech deals for 2024 👨💻
We covered that litigation in January, when a class action lawsuit was filed against LastPass, alleging negligence, breach of contract, and deceptive acts.
Now, following an investigation by the cryptocurrency wallet MetaMask’s lead product manager, Taylor Monahan (check out the lengthy thread on Twitter/X over here), it seems that LastPass data is the common thread tying together a huge string of crypto thefts.
If you used LastPass in 2022, experts are saying, you really should change all your passwords and migrate your crypto.
Don’t Store Your Crypto Seed Phrase Online
Every single crypto victim tied to the LastPass breach shares one thing in common: They had all stored their sensitive “seed phrases” with the password-keeping service.
Seed phrases are essentially the passwords that a crypto user needs to enter in order to access their cryptocurrency. So, it makes sense that these 150 (and counting) victims were targeted. Thieves are going through the LastPass data trove and sniffing out the seed phrases that are tied to large amounts of money, ensuring that they’ll get a five- or six-figure payday for every theft.
Crypto users who were lucky enough to avoid their own data exposures can learn a clear lesson: Don’t store your entire seed phrase in an online service, no matter how encrypted it is. Instead, we recommend three different ways to safely store your seed phrase:
- A physical location – the most unhackable option.
- A hard drive – this at least keeps your data off the wider internet.
- Split the phrase up – If you separate the seed phrase into two or more parts, you can store them in multiple locations, greatly reducing the odds that the same hackers can get their hands on the entire phrase.
Plus, you don’t want to keep all your eggs in one basket: Get multiple recovery phrases.
The Best Password Management Tools
We’ve ranked all the best password managers over here, and LastPass is high on the list. But if you’d prefer a different option, we can help: NordPass and 1Password remain our all-time favorites, in first and second place, respectively.
Just remember: A password management tool is just one layer of security. It won’t make up for a company or individual lacking in other areas, from employee security training sessions to extra precautions for storing your cryptocurrency recovery phrase.