March 7, 2025

In September 2023, KrebsOnSecurity published findings from security researchers who concluded that a series of six-figure cyberheists across dozens of victims resulted from thieves cracking master passwords stolen from the password manager service LastPass in 2022. In a court filing this week, U.S. federal agents investigating a spectacular $150 million cryptocurrency heist said they had reached the same conclusion.

On March 6, federal prosecutors in northern California said they seized approximately $24 million worth of cryptocurrencies that were clawed back following a $150 million cyberheist on Jan. 30, 2024. The complaint refers to the person robbed only as “Victim-1,” but according to blockchain security researcher ZachXBT the theft was perpetrated against Chris Larsen, the co-founder of the cryptocurrency platform Ripple. ZachXBT was the first to report on the heist.

This week’s action by the government merely allows investigators to officially seize the frozen funds. But there is an important conclusion in this seizure document: It basically says the U.S. Secret Service and the FBI agree with the findings of the LastPass breach story published here in September 2023.

That piece quoted security researchers who said they were witnessing six-figure crypto heists several times each month that all appeared to be the result of crooks cracking master passwords for the password vaults stolen from LastPass in 2022.

“The Federal Bureau of Investigation has been investigating these data breaches, and law enforcement agents investigating the instant case have spoken with FBI agents about their investigation,” reads the seizure complaint, which was written by a U.S. Secret Service agent. “From those conversations, law enforcement agents in this case learned that the stolen data and passwords that were stored in several victims’ online password manager accounts were used to illegally, and without authorization, access the victims’ electronic accounts and steal information, cryptocurrency, and other data.”

The document continues:

“Based on this investigation, law enforcement had probable cause to believe the same attackers behind the above-described commercial online password manager attack used a stolen password held in Victim 1’s online password manager account and, without authorization, accessed his cryptocurrency wallet/account.”

Working with dozens of victims, security researchers Nick Bax and Taylor Monahan found that none of the six-figure cyberheist victims appeared to have suffered the sorts of attacks that typically preface a high-dollar crypto theft, such as the compromise of one’s email and/or mobile phone accounts, or SIM-swapping attacks.

They discovered the victims all had something else in common: Each had at one point stored their cryptocurrency seed phrase — the secret code that lets anyone gain access to your cryptocurrency holdings — in the “Secure Notes” area of their LastPass account prior to the 2022 breaches at the company.

Bax and Monahan found another common theme with these robberies: They all followed a similar pattern of cashing out, rapidly moving stolen funds to a dizzying number of drop accounts scattered across various cryptocurrency exchanges.

According to the government, a similar level of complexity was present in the $150 million heist against the Ripple co-founder last year.

“The scale of a theft and rapid dissipation of funds would have required the efforts of multiple malicious actors, and was consistent with the online password manager breaches and attack on other victims whose cryptocurrency was stolen,” the government wrote. “For these reasons, law enforcement agents believe the cryptocurrency stolen from Victim 1 was committed by the same attackers who conducted the attack on the online password manager, and cryptocurrency thefts from other similarly situated victims.”

Reached for comment, LastPass said it has seen no definitive proof — from federal investigators or others — that the cyberheists in question were linked to the LastPass breaches.

“Since we initially disclosed this incident back in 2022, LastPass has worked in close cooperation with multiple representatives from law enforcement,” LastPass said in a written statement. “To date, our law enforcement partners have not made us aware of any conclusive evidence that connects any crypto thefts to our incident. In the meantime, we have been investing heavily in enhancing our security measures and will continue to do so.”

On August 25, 2022, LastPass CEO Karim Toubba told users the company had detected unusual activity in its software development environment, and that the intruders stole some source code and proprietary LastPass technical information. On Sept. 15, 2022, LastPass said an investigation into the August breach determined the attacker did not access any customer data or password vaults.

But on Nov. 30, 2022, LastPass notified customers about another, far more serious security incident that the company said leveraged data stolen in the August breach. LastPass disclosed that criminal hackers had compromised encrypted copies of some password vaults, as well as other personal information.

Experts say the breach would have given thieves “offline” access to encrypted password vaults, theoretically allowing them all the time in the world to try to crack some of the weaker master passwords using powerful systems that can attempt millions of password guesses per second.

Researchers found that many of the cyberheist victims had chosen master passwords with relatively low complexity, and were among LastPass’s oldest customers. That’s because legacy LastPass users were more likely to have master passwords that were protected with far fewer “iterations,” which refers to the number of times your password is run through the company’s encryption routines. In general, the more iterations, the longer it takes an offline attacker to crack your master password.

Over the years, LastPass forced new users to pick longer and more complex master passwords, and they increased the number of iterations on multiple occasions by several orders of magnitude. But researchers found strong indications that LastPass never succeeded in upgrading many of its older customers to the newer password requirements and protections.

Asked about LastPass’s continuing denials, Bax said that after the initial warning in our 2023 story, he naively hoped people would migrate their funds to new cryptocurrency wallets.

“While some did, the continued thefts underscore how much more needs to be done,” Bax told KrebsOnSecurity. “It’s validating to see the Secret Service and FBI corroborate our findings, but I’d much rather see fewer of these hacks in the first place. ZachXBT and SEAL 911 reported yet another wave of thefts as recently as December, showing the threat is still very real.”

Monahan said LastPass still hasn’t alerted their customers that their secrets—especially those stored in “Secure Notes”—may be at risk.

“Its been two and a half years since LastPass was first breached [and] hundreds of millions of dollars has been stolen from individuals and companies around the globe,” Monahan said. “They could have encouraged users to rotate their credentials. They could’ve prevented millions and millions of dollars from being stolen by these threat actors. But  instead they chose to deny that their customers were are risk and blame the victims instead.”


61 thoughts on “Feds Link $150M Cyberheist to 2022 LastPass Hacks

  1. vbb

    These hacks have cost LassPass nothing, $0. Hundreds of millions of dollars have been stolen from individuals and others, but nothing from LassPass. Think about that before you trust your security to a company that has no skin in your game.

    Reply
    1. zy

      It’s still better than no password manager, and probably a lot better than many of them. Course since LastPass is one of the oldest and most popular (or at least was) it’s going to be targeted more too..

      Reply
      1. mealy

        Read the articles about the 2022 incident(s) all over again, refresh yourself or become initially acquainted.
        It was targeted, but they failed. That’s actually not better than ‘no manager’, that is in fact worse.

        Reply
    2. ReadandShare

      While I agree that LastPass is responsible for its own security lapses, individual users too are culpable if they use simple master passwords As written above, “Researchers found that many of the cyberheist victims had chosen master passwords with relatively low complexity, and were among LastPass’s oldest customers”. LastPass beaches have been widely announced over the years; individuals need to do their part: either improve their master passwords (and up the iterations) – or migrate elsewhere safer! Those who do neither… well, some of them get hacked.

      Reply
      1. mealy

        Did they _enforce_ the minimum best practices? A: it’s complicated.

        Reply
  2. Carl Fink

    Can I ask what seems to me like an obvious question?

    Surely LastPass notified their users about the breach. Surely they advised the people whose data was leaked to change the relevant passwords. Did all of these thefts happen because those folks just … didn’t?

    Reply
    1. BrianKrebs Post author

      Others more experienced in dealing with these specific breaches can weigh in here if they want. But my understanding is that some people maybe didn’t think about the fact that if they wanted to be safe, they had to move everything to a new wallet with a new seed phrase. Also, probably for a lot of people that was too much hassle for little perceived risk. After all, the vaults were encrypted with LastPass’s secret sauce, right? Some people likely just forgot they had stored seed phrases there.

      Reply
      1. Tarapup

        Moving to a new wallet with a new seed phrase is nice, but once they cracked the master pass they could apply it to the vaults they stole too. If it were only the master pass then Lastpass could have forced new master passwords and done verification.

        The solution is to change the credentials on your accounts.

        Reply
      2. Carl Fink

        You know … I might not have realized that about the “seed phrase”, because I had never read or heard that expression until just now.

        OTOH, that means LastPass (if I’m understanding you) allowed their customers to keep using the secret key that was stolen, assuming their encryption couldn’t be broken (or just not caring).

        Reply
      3. Michael Burns

        While do write code (mostly for data analysis), I would have thought LastPass could have automated the process where to the user, they appear to be changing their master password, and behind the scenes Lastpass create a new wallet with new seed and behind the scenes automate the data transfer from old to new wallet. It’s just software. More importantly, once you create that software you just make it the default.

        Reply
        1. BIgP

          Lastpass doesn’t have control over any wallets. They just store passwords. If they did create some sort of automation with other sites, it’d open another attack vector. (watch out for “fintech” exploits in the near future…)

          Reply
          1. nemo

            Not the wallets, no. But they could have changed the complexity and iterations of the vault encryption without the user even knowing it. As soon as a user gives his password or hash, they can switch to a more complex hash. Only problem would have been users who never logged in since the increase in hash complexity. But even those could have been analyzed for sub par passwords – the way the thieves did.

            Reply
      4. Fr00tL00ps

        Many people either didn’t realise they needed to move their crypto to a new wallet or underestimated the risk. A few key factors played into this:

        False sense of security from LastPass. LastPass marketed its encryption as extremely secure, leading users to trust that even if vaults were stolen, they were safe as long as they had a strong master password. The company’s messaging downplayed the urgency of moving sensitive assets like crypto, and some users simply weren’t aware they needed to take immediate action.

        Moving to a new wallet is a hassle. Generating a new wallet, writing down a new seed phrase, moving funds, and updating accounts is a tedious process. Many people probably thought, “The odds of my vault being cracked are low, so I’ll just leave it” and considering what was at risk, this was a bad attitude as ZERO trust is key. Others might have forgotten that they even stored their seed phrases in LastPass — especially if they hadn’t needed to access them in years.

        People didn’t expect *their* vaults to be targeted, “everybody else but NOT me, surely?”. Another fail for inconvenience. While passwords can be reset, crypto private keys are permanent — but not everyone immediately connected the dots on how serious that was. The reality is that attackers specifically targeted LastPass vaults for months, likely using high-powered brute-force techniques to crack weaker master passwords. Once an attacker unlocked a vault, they had everything; wallet keys, crypto exchange logins, email accounts for phishing, and more.

        I think the biggest takeaway in all this is that ZERO data that was exfiltrated from either of the 2 breaches has ever appeared for ransom, trade or otherwise on the Dark markets or forums anywhere since. This leads me to believe that the attackers knew exactly what they were looking for and were targeting crypto specifically; and the only groups to perform this particular modus operandi are North Korea. This was a well orchestrated and sophisticated crypto targeted campaign that could only have been pulled off by a nation state actor.

        Reply
        1. GB82

          They need the funds to feed into their nuclear/weapons programs.

          Reply
        2. mealy

          “the only groups to perform this particular modus operandi are North Korea.” Probably right.
          Maybe right.

          Reply
      5. Quid

        Export the LastPass vault and verifying integrity, for safekeeping before making in major changes are made.
        For those seeds, they did/do need to be changed ASAP and it has been too late for many as the article states.

        Likewise, the only way to save oneself after the breach is to change the passwords on every individual account within the LastPass vault that was stored there at the time of the breach, before the hacker(s) can brute force crack them, but first one must change their master password to at least a 12+ characters, but better a 4 to 5 word Diceware type passphrase, and ensuring the PBKDF2 iterations are at least 600,000 or more. Also change the email address associated with LastPass, which introduces a new salt or at least it did back when I changed mine prebreach. When changing the MP and email address it also updated the encryption mode from ECB to CBC before LP apparently and finally forced that on everyone.

        On the other hand, many have argued to simply migrate away from LP to 1Password, Bitwarden, NordPass, etc.
        Bitwarden is free and the pro version is $10/year.
        The LP vault can be imported directly into BW, then make the password changes, not before. Then when satisfied that all is in working order, delete the LP account. Some even advise creating fake passwords and email addresses before deleting the account in case LP does not properly delete the vault t and it is still hackable. But if you already changed your MP, email address, and individual passwords after migrating to the new PWM, then the old login credentials should be useless.
        Quid

        Reply
    2. adfasdf

      They did not notify corporate end-users directly. They posted stuff on their website. Amazingly, my own employer used (and still uses) LastPass, and they give every employee an account. My employer did not send out a single thing about it. They completely ignored even LastPass’ recommendations they had posted on their website. No recommendation to rotate passwords, nothing.

      I do not use my work LastPass even for work stuff, and many of my co-workers are the same. I never even log in. Someone higher up in the company told me, “Don’t worry about not using it, it’s just something we have to have for auditors.” I’m stunned even as I type this, but it’s true. I haven’t logged into my work one for years now. Nobody has ever said a word to me about my lack of use. I work at a tech company that has security offerings, too. I’m not kidding.

      Reply
    3. Some guy I guess

      There was sort of a security breach but your info is still totally safe. But you might want to change every single password and move every bit of crypto currency you own to make sure.

      Vs

      Your passwords and notes vault have been copied by hackers in an attempt to decrypt your vault and steal ALL of its contents. It is only a matter of time and effort before they are able to access your data. If you do not change every single password and move every bit of crypto you own that had secret keys in your notes you are completely and utterly screwed. Even if you do that, if you stored anything of value in there that you can’t change, you are still screwed. Good luck with that. You shouldn’t have put that stuff in your notes! Sucker.

      Reply
    4. Fr00tL00ps

      It was little more complicated than that. LastPass’ communication was vague and delayed. When LastPass disclosed the breach in late 2022, they did not initially emphasise that encrypted vaults had been stolen. They framed the risk as minimal if users had strong master passwords, and many users didn’t realise that their entire vault contents were exposed to brute-force attacks.

      Cracking password vaults takes a lot of time and resources. Even with strong encryption, attackers can crack weak master passwords over time and if someone had a weak master password, they may not have realised their vault was compromised until it was too late.

      Not everyone could easily change every password. Some victims had hundreds or thousands of credentials stored in LastPass and crypto wallets use private keys that, if stolen, cannot be changed like a regular password.

      Some people DID change passwords and still got hacked. Some reports suggest that even users who migrated away from LastPass and changed passwords still lost funds. This raised concerns that additional metadata (like password history or old backups) may have been leaked.

      Yes, some people may have ignored the warning. But LastPass downplayed the severity, and even those who took precautions weren’t necessarily safe. It’s a mix of poor communication, technical limitations, and a slow realisation of just how bad the breach was.

      Reply
      1. mealy

        Exactly. They failed the response when it mattered most. It was a chain of fails that allowed exploitation. Where exactly ‘fault’ lies in each of those as an aggregate is difficult to suss out, but there was some fault and it’s like people want to give LP a pass on that because they use it, Stockholm is beautiful nothing else matters.

        Reply
    5. Strongarm

      LastPass did notify users.
      They did not force me to change password or iterations.
      I found out about the iteration needing to be increased from a technical new source not affiliated with LastPass
      I switch to a new password manager and changed ALL of my passwords. Huge pain but it had to be done.

      Side benefit I do have more MFA enabled now and the new manager informs me if MFA is now available for the site I’m using.

      Reply
  3. Ernest N. Wilcox Jr.

    I’ve been a LastPass user for several years. I started using the free version prior to 2022, then when the company changed their policy regarding use of a free account on multiple device types (e.g a PC and a phone) I upgraded to a paid account. I started using a password manager because I was taking responsibility for my own digital security, not to put that burden on some company. When I learned about the LastPass breach, I went through all the Internet accounts in my vault, and changed my passwords, and increasing the default length from 12 to 16 characters. As I changed passwords on the Internet accounts in my vault, I enabled 2FA on each account, and if the site/service provider did not offer that security feature, I added that service type to my list of service providers to change. In my opinion, if an Internet service provider cares so little about my digital security that they don’t support two factor authentication, I don’t want to use their service. I can always go elsewhere for that service. Today, all the Internet accounts in my LastPass vault have long, strong, unique passwords, supported by two factor authentication. Twice annually, I go through all the accounts in my vault, and decide if I still need the service provided by each of those accounts, and close any accounts I no longer need/use.

    While LastPass probably shouldn’t put the blame for being hacked on their customers, at the same time their customers digital security is their own responsibility, not that of LastPass. LastPass is only responsible to try to keep their customers vaults as safe as possible, something they failed to do in 2022, but which they have been working to correct ever since. While I as an individual, cannot make all my assets completely secure/safe from theft, I can make the effort required to complete that theft as difficult as possible, so the thieves will go in search of easier targets. If you ask me, the people who got hacked following the LastPass breach, assuming the information stolen from LastPass was used in the hack, had the opportunity to upgrade their digital security by changing all their passwords, make sure that each password is unique, enable 2FA where it’s appropriate (do bitcoin accounts even support 2FA?), and change the credentials required for any wallets they may have,etc., prior to being hacked, didn’t they? If the people who got hacked failed to change/upgrade their passwords/security credentials following the LastPass breach, then they are ultimately responsible for being hacked, not LastPass.

    Note that while I’m a LastPass customer, I have no other affiliation with them, and I’m not an employee/agent of/for them. The content above contains my personal thoughts/opinions, and nothing I’ve stated here should be construed as fact. You may consider what I’ve said here if you want to, but you should make up your own mind for yourself about what the truth is.

    Ernie

    Reply
    1. Scott

      Your comments that make it clear you have no idea what you are talking about are refreshing.

      Reply
      1. ml66uk

        Sounds like he knows what he’s talking about to me. You, not so much.

        Reply
      2. Fr00tL00ps

        Scott, if your are going to debase someone for *your* perceived lack of knowledge, at least have the common decency to provide input into what you think they got wrong, so you don’t come off as an arrogant wannabe.

        LastPass is just a tool. On its own it is not a panacea for all known digital threats, but one of many utilities and standard practises that may be used to reduce ones risk or exposure online. What Eric has described above was standard best practice, advised by LastPass, post breach in 2022. LastPass’s conduct prior to the breach is not the issue here, it is what happened after the breach that is in question. If YOU weren’t proactively maintaining your security posture, like keeping updated and/or ignoring alerts to address priority issues when they arise, that is on YOU not LastPass.

        However, if you wish to regale us with your current understanding of the mathematical theorem of cryptography, I am all ears.

        Reply
    2. Thorsten Neumann

      Ernie, you play such an innocent role while you completely glaze over the fact that Lastpass denied the hack in the first place, then simply told affected users to change their master password.

      Customers had experienced identity theft with SSN, passport and bank account details in Lastpass. Customers have had increased phishing attempts. Paying clients lost crypto for trusting an ISO27001 and SOC2 Type II certified company passing annual audits (let us not forget they were subsidiary of a listco GoTo). They are a large global business. They provide data protections services and that comes with responsibility AND accountability. Do you not realise that they failed their customers regardless of the losses?

      Thus, it is exactly the crypto losses that create the direct linkage to Lastpass. Credit card abuse and identity theft are hard to prove but crypto losses make it clear-as-day that data placed with Lastpass was and is not secure; again a breach of their terms of service and contractual obligations.

      You make up some story about 2FA and rotating passwords, while all that is circumstantial. How do you go about changing someones stolen identity? How about the personal and passport details then used in fake KYC for financial services and loans?

      Youre naive and likely paid by Lastpass to post such lame-duck response. Lastpass has to-date not communicated to its clients of all the resulting risks and spillover (for all the litigation avoidance reasons).

      Reply
    3. AW

      16 chars is not enough with today’s computing power, and you’re broadcasting the dictionary size required to crack your passwords.

      You should use near as many as a site supports. Take Comcast for example, they support up to 100. So why not 90-some…. You don’t have to remember it.

      Reply
      1. Sc00bz

        > 16 chars is not enough with today’s computing power

        A random 16 character alphanumeric password is uncrackable (36^16). Even if salted MD4, then it will take an average of 434,000 GPU-years/password (36^16/290,400,000,000/3600/24/365.2425 * 50% with 290,400,000,000 being the speed of an RTX 4090 for MD4).

        It’s almost uncrackable even if unsalted MD4, the entire world generated passwords like that, and every user database was publicly readable. At 2^32 people online and 2^8 accounts/person (overestimate), 6+ TB of 12 channel DDR5-6000, 1 memory access per password guess (underestimate), and enough compute to saturate memory then you’re expected to get one password after 70 seconds, 20 chars is 3.7 years, and 24 chars is 6,200,000 years or a good estimate of 36^(chars-16)*69.684 seconds. (log(0.5)/(72,000,000,000*log(1-2^40/36^16)) ≈ 69.684 seconds. Note “log(0.5)” is the log of the probability of failure. If you wanted to change the probability of success to 10%, then it’s “log(1-0.1)” or “log(0.9)”. This also assumes the 2^40 passwords are unique. There’s a 1 in 13.67 chance there’s a collision but less of a chance with more than 16 characters (1/(1-e^(-(2^80)/(2*36^16))) ≈ 13.6728).

        Reply
          1. Sc00bz

            Well no. To break AES-128 you need a quantum computer with a circuit complexity of like 2^100. I forget the exact amount and it depends on error rates. A quantum computer with close to 2^30 might happen. So let’s say it can crack a 60 bit key in 2^30 time. A key space of 2^82.72 would “run” in 2^52.72 time (2^82.72 * 2^30/2^60). That’s 1.2 million times harder than breaking a 256 bit elliptic curve (https://arxiv.org/pdf/quant-ph/0301141, page 26). So sure doable on the order of years… until you add uppercase or an extra character or two. Now it’s decades to centuries.

            Reply
            1. mealy

              I’d love to believe you believe these regimes are perfectly implemented.

              Reply
    4. Tarapup

      Agreed. I was told by Lastpass, to change passwords on all account, to up my iterations, to change my master password. So it’s not like they didn’t try to warn people. They didn’t hide it as some have implied.

      Reply
  4. lklkj

    I had moved from LastPass to another password manager about 18 months before the LastPass hack, but I still assumed LastPass had my old vault sitting around in their dev environment (I figured they were lying about everything), so I changed every single password and encryption key I had. It’s mind-blowing that people who had large amounts of crypto thought they were safe. It was all over the media, so they can’t claim ignorance.

    Reply
    1. vbb

      From the article: “LastPass still hasn’t alerted their customers that their secrets—especially those stored in “Secure Notes”—may be at risk.”

      Reply
  5. Michael

    Just seems to me to reinforce my choice to use FOSS Password Safe, with a Yubikey required along with it’s master password, was a better choice. I control where and how the database is stored and how many additional encryption layers it has. (e.g. Inside a veracrypt vault, whether the container file is local or in the cloud, etc)

    Reply
  6. Heikki Lahtela

    Lastpass did not encrypt those notes properly. That’s a fact. They did unforgivable business decisions and no user should ever trust them again and in fact they should be sued to oblivion.
    Br, former Lastpass user

    Reply
  7. Grammarly

    Clawback means a disbursement reversed, not recovery of stolen money

    Reply
  8. Billy Jack

    On my servers, I set the number of iterations for the passwords a few years ago to the point that it took about two and a half minutes to login. Since most of my connections are with ssh keys, this didn’t bother me much at all.

    However, I got to wondering whether or not having it that high might be a sort of self directed denial of service attack. In the course of two minutes, it’s not uncommon for there to be multiple attempts going on to guess passwords.

    So I shortened them back down to something on the order of about two or three seconds which seems much more reasonable.

    Reply
  9. Luca Antoniello

    Cialtroni quelli di lastpass… una cosa dovevano fare.. e l’hanno fatta male, anzi malissimo!

    Reply
  10. Tuna ÖZEN

    Centralized systems are the attack surface itself. No matter the methods will be, the system will end up being unsecure, as long as the related files, passwords stored as one piece.

    Reply
  11. Dave

    So, for those people that were impacted by this breach, and did get crypto drained, and already reported the event to FBI Cyber Crimes (with 0 reply)… what, if any, is their recourse for getting funds returned from the crypto that was seized?

    Reply
  12. CanadaGoose

    The biggest lesson here should be to NEVER store crypto seed words anywhere online.

    Reply
    1. vbb

      I agree. Heed the lesson: some things, like crypto seed words, are important and must be air gapped.

      Reply
  13. truckerdad58

    Last pass is like others the scapegoat. If you put your passwords online and that be the ONLY safeguard between you and your accounts…your are a fool! 2FA is a must when dealing when financial institutions. If your bank doesnt support it, then you should move your funds elsewhere! Now crypto is another bastard in the world that needs to be understood as questionable!

    Reply
  14. Kent Brockman

    For personal finance accounts I only use locally stored password managers, never cloud -based. It just seems to me to be a risk not worth taking.

    Reply
  15. LPD

    Here’s the real question: WHY are we still using Passwords for authentication? There are simpler and more secure alternatives. Biometric-enabled, passwordless MFA. The world of authentication needs to catch up!

    Reply
    1. Fr00tL00ps

      Nothing is 100% secure EVER. It is a matter of many layers to reduce the attack surface. If it was that easy, I could compromise your devices by simply chopping off your thumb or gouging out your eyeballs.

      Reply
    2. Dick Curtis

      Biometric is just a password you can’t change. It’s not like the computers involved are exchanging your physical finger/face/iris between them. It’s being converted to ones & zeroes and subject to the same implementation/cracking issues any other password is.

      Reply
  16. Dennis

    LastPass breach gave me a lot of headache for sure. It took me months to secure my online accounts. It was mostly time needed to change passwords for most of my online accounts, and moving my crypto to new wallets. But even that did not completely secure my data. Some of the static data that was in their vault is still exposed.

    All in all trusting in LastPass was probably the worst decision I’ve made in a while. All because of the paid off shills (like Leo Laporte and others) that were incessantly promoting it on their podcasts. Lessons learned. Never ever trust paid ads that online personalities promote on their shows.

    Reply
    1. Wannabe Techguy

      Leo and Steve Gibson were promoting L.P. when Joe Siegrist was still there. It seems to me(a non IT Pro) that they started going downhill when Joe sold them to “Log Me In” who in turn were sold to a”private equity” firm IIRC.

      Reply
      1. Sc00bz

        LP was always bad according to anyone that looked into it. Here’s just the funny bugs I found and reported in ~2009 and again every few years:
        * Used ECB… I think it was ECB decrypt but no encrypt because they lazily upgraded to CBC (ie only upgraded if you change the field).
        * Used email salted SHA-256 as a password KDF. (Fixed but defaulted to PBKDF2-SHA256 with 500 iterations. They upped it to 5,000 after I continued to tell them it’s not high enough. At 5,000, I was like fine but that’s not really high enough, but at least you exceed NIST’s recommendation of 1,000 iterations from 12 years prior (“February 2013 minus 12 years”). It’s now 600,000 because of my general recommendation which was adopted by OWASP. It’s pinned to current GPU speeds (<10,000 guesses/second) but now it's um weird. RTX 4090 was "1.5 GPUs" and RTX 5080s "exist" but… do they?).
        * On invalid padding it reported the decrypted byte that failed. (see padding oracle but minus the guessing part)… Oh wait this one was ~2013.
        * URLs were unencrypted and even if you disabled reporting login events it still reported them. They encrypt URLs as of 2024 (haven't checked but likely lazily upgraded (ie only if you change the URL))… Oh wait the "report login events" bug part was ~2013.
        * They fixed a silent downgrade attack. After I shamed them on Twitter. Sometime after they removed the fix. Likely because coverage tests showed it never ran. Also it was a message of "hey it's possible you are being attacked, continue?". So it was kind of worthless.

        Oh besides all of that, if I had access to their web server I could compromise like 99% of users (reported January 2022 still unfixed as of a few months ago)… Yeah, yeah that's after it was sold but I knew of the compromising half of the attack for a decade. The social engineering part I found out when their system messed up and did that part of the attack. And I was like oh I didn't know LP had an official email for that. Which customer service could confirm as a real thing they could of sent or actually sent.

        —-

        My original reporting method was filling out the exit survey selecting "product is insecure" and putting the details in the comment field. This was before I knew the email security@… worked and maybe before it existed. Although the January 2022 reported bug still isn't fixed and I was told they were looking into it.

        Reply
  17. Jay Ghoert

    As soon as LastPass announced the hack I changed all my passwords in the vault and all credentials – including seeds from cryptos. I don’t understand how after 2 years or even 2 weeks these people didnt do the same. It’s as if I lost my credit card with all the pin codes attached to it but I just ignore and don’t call the bank to cancel , which is just bad management. I don’t think LastPass can be blamed for that at this point and they have done a lot to improve security if you read their posts.

    Reply
  18. EvilSanta

    Monahan stated: “hundreds of millions of dollars has been stolen”
    Almost, but it was crypto. Which is not dollars. It is a token that is not money.
    Keep it honest. Just because you paid x or can sell it for x does not make it money/dollars.
    I find it disappointing that the crypto market keeps getting legitimized when we all know it will vanish one day. Best ponzi scheme yet, last ones holding the bag, will have an empty sack.
    But on topic, yeah Lastpass failed big time by not disclosing.

    Reply
    1. mealy

      Just curious what you think the value of the dollar is actually in fact based on if not imaginary sh!t.

      Reply
  19. johhn

    I don’t store my passwords or other secrets in an online service for this reason.

    Yes, it can be secure if the encryption is strong and your master password is strong but accidents happen.

    If your secrets are stored in an online service they can be stolen and will be stolen.

    Then if the master password is compromised in any way, ALL your secrets are gone.

    I don’t even store my passwords in an offline manager.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *