LastPass hack causes whopping $4.4 mn loss in crypto to victims!

Hackers have targeted LastPass, the popular password manager, resulting in the theft of over $4.4 million in crypto from at least 25 users. This is the second cyberattack on the platform in less than a year.

| Updated on: Nov 01 2023, 11:29 IST
Use passkey to sign in to your Apple iPhone; no password required
1/5 If you are an Apple iPhone user, you will not have to remember passwords now as you can use passkeys to sign in on their iPhones. Passkeys give iPhone users a simple and secure way to sign in without passwords by relying on Face ID or Touch ID to identify them when they login on supporting websites and apps. (HT Tech)
image caption
2/5 "A passkey is a cryptographic entity that’s not visible to you, and it’s used in place of a password. A passkey consists of a key pair, which—compared to a password—profoundly improves security. One key is public, registered with the website or app you’re using. The other key is private, held only by your devices. Through the use of powerful, industry-standard cryptography techniques, this key pair helps ensure a strong, private relationship between your devices and the website or app," Apple said. (HT Tech)
3/5 The iPhone stores the passkey in iCloud Keychain, so it is available on all your devices where you are signed in with your Apple ID (iOS 16, iPadOS 16, macOS Ventura, or tvOS 16 required). Here is all you need to know about passkeys. (REUTERS)
4/5 How to save a passkey for an account: Depending on the website, browser, or app, saving a passkey to your iPhone and iCloud Keychain usually consists of steps similar to these. On your iPhone, do one of the following: 1. For a new account: On the account sign-up screen, enter an account name. 2. For an existing account: Sign in with your password, then go to the account management screen. When you see the option to save a passkey for the account, tap Continue. And your passkey is saved. (AFP)
image caption
5/5 How to sign in to an account on your iPhone with a passkey: On the sign-in screen for the website or app, tap the account name field. Tap the account suggested at the bottom of the screen or near the top of the keyboard. If your iPhone has Touch ID, follow the onscreen instructions to verify your identity. Otherwise, Face ID verifies your identity. (Apple)
icon View all Images
Password manager LastPass became the latest target of hackers. Know details. (Pixabay)

In this digital age where everything is online, cybersecurity personnel advise keeping a password manager that can help you manage multiple passwords that you have set up for different platforms while also creating complex passwords for you. But what if the password manager itself becomes the target of hackers? This is exactly what happened with LastPass, the password manager application owned by GoTo. On October 25, at least 25 LasPass users were targeted by cybercriminals who siphoned over $4.4 million from them in crypto. Let us take a closer look.

LastPass hack: What happened

According to blockchain analyst ZachBXT (via CoinDesk), the popular password manager LastPass has become the latest target of hackers. This is the second cyberattack on the platform in less than a year after hackers gained unauthorized access to LastPass' third-party cloud-based storage service which is used to store archived backups of production data. 

“Just on October 25, 2023 alone another ~$4.4M was drained from 25+ victims as a result of the LastPass hack. Cannot stress this enough, if you believe you may have ever stored your seed phrase or keys in LastPass migrate your crypto assets immediately”, ZachXBT posted on X.

As part of this latest hack, threat actors compromised 80+ distinct addresses and more than 25 victims, stealing keys and seed phrases to their crypto assets, according to ZachXBT and MetaMask developer Taylor Monahan. Funds from blockchains such as Bitcoin, Ethereum, BNB, Arbitrum, Solana have been siphoned, with estimates putting it at nearly $4.4 million in total.

Continuous thefts

After last year's hack, LastPass has become the victim of thefts on numerous occasions. According to Monahan, more than 150 people are connected to these thefts which amount to a staggering $35 million in crypto. Interestingly, none of the attacks began as a result of the victim's phone or email getting compromised.

“The victim profile remains the most striking thing. They truly all are reasonably secure. They are also deeply integrated into this ecosystem, [including] employees of reputable crypto orgs, VCs, people who built DeFi protocols, deploy contracts, run full nodes”, Monohan said.

The list of stolen keys is diverse, with hackers stealing 12 and 24-word seeds, Ethereum presale wallet jsons, wallet.dats, private keys generated via MEWs, and more.

How to protect yourself against password hacks

1. Do not reuse passwords - ALWAYS keep a different password for different platforms.

2. Use random combinations - Passwords that contain a mix of characters, numbers, and symbols are more difficult to guess and are therefore less likely to be hacked.

3. Keep long passwords - You should aim for a password that is at least 8-12 characters long as it takes longer to figure out.

4. Use 2FA/MFA authentication - Most platforms offer additional security layer options like OTPs via email and phone numbers, etc. Use them, you can never be too safe.

5. Use a password manager - A password manager helps you manage multiple passwords that you have set up for different platforms and it can also create complex passwords for you. Moreover, it also stores them securely, away from prying eyes.

Follow HT Tech for the latest tech news and reviews , also keep up with us on Whatsapp channel,Twitter, Facebook, Google News, and Instagram. For our latest videos, subscribe to our YouTube channel.

First Published Date: 01 Nov, 10:50 IST