Experts: LastPass Data Breach Led to A Ton of Cryptocurrency Heists

Crypto users shouldn't store their entire seed phrase in an online service, no matter how encrypted it is.

At the end of last year, LastPass allegedly lost data from some of its password vaults in a breach. And every month since December 2022, at least a few big six-figure cryptocurrency thefts have occurred, all of which seem to have ties to the LastPass breach. According to new research, “nearly every victim” had used LastPass.

All told, the money lost to all these crypto thefts totaled more than $35 million, across more than 150 victims.

Here's how it went wrong, and how you can keep your own cryptocurrency wallet from going up in smoke.

The LastPass Breach Timeline

In 2022, LastPass suffered two major breaches that we know about: One breach in August that didn't result in any customer data lost and one breach in November that relied on the use of company information taken in the first breach.

We don't know the full impact of the November breach. LastPass CEO Karim Toubba says this breach remains “the subject of an ongoing investigation by law enforcement and is also the subject of pending litigation,” in a recent statement to The Verge.

Surfshark logoπŸ”Ž Want to browse the web privately? 🌎 Or appear as if you're in another country?
Get a huge 86% off Surfshark with this special tech.co offer.See deal button

We covered that litigation in January, when a class action lawsuit was filed against LastPass, alleging negligence, breach of contract, and deceptive acts.

Now, following an investigation by the cryptocurrency wallet MetaMask's lead product manager, Taylor Monahan (check out the lengthy thread on Twitter/X over here), it seems that LastPass data is the common thread tying together a huge string of crypto thefts.

If you used LastPass in 2022, experts are saying, you really should change all your passwords and migrate your crypto.

Don't Store Your Crypto Seed Phrase Online

Every single crypto victim tied to the LastPass breach shares one thing in common: They had all stored their sensitive “seed phrases” with the password-keeping service.

Seed phrases are essentially the passwords that a crypto user needs to enter in order to access their cryptocurrency. So, it makes sense that these 150 (and counting) victims were targeted. Thieves are going through the LastPass data trove and sniffing out the seed phrases that are tied to large amounts of money, ensuring that they'll get a five- or six-figure payday for every theft.

Crypto users who were lucky enough to avoid their own data exposures can learn a clear lesson: Don't store your entire seed phrase in an online service, no matter how encrypted it is. Instead, we recommend three different ways to safely store your seed phrase:

  • A physical location – the most unhackable option.
  • A hard drive – this at least keeps your data off the wider internet.
  • Split the phrase up – If you separate the seed phrase into two or more parts, you can store them in multiple locations, greatly reducing the odds that the same hackers can get their hands on the entire phrase.

Plus, you don't want to keep all your eggs in one basket: Get multiple recovery phrases.

The Best Password Management Tools

We've ranked all the best password managers over here, and LastPass is high on the list. But if you'd prefer a different option, we can help: NordPass and 1Password remain our all-time favorites, in first and second place, respectively.

Just remember: A password management tool is just one layer of security. It won't make up for a company or individual lacking in other areas, from employee security training sessions to extra precautions for storing your cryptocurrency recovery phrase.

Did you find this article helpful? Click on one of the following buttons
We're so happy you liked! Get more delivered to your inbox just like it.

We're sorry this article didn't help you today – we welcome feedback, so if there's any way you feel we could improve our content, please email us at contact@tech.co

Written by:
Adam is a writer at Tech.co and has worked as a tech writer, blogger and copy editor for more than a decade. He was a Forbes Contributor on the publishing industry, for which he was named a Digital Book World 2018 award finalist. His work has appeared in publications including Popular Mechanics and IDG Connect, and his art history book on 1970s sci-fi, 'Worlds Beyond Time,' is out from Abrams Books in July 2023. In the meantime, he's hunting down the latest news on VPNs, POS systems, and the future of tech.
Explore More See all news
Back to top
close Thinking about your online privacy? NordVPN is Tech.co's top-rated VPN service See Deals