After a data leak that took place several months ago, password manager LastPass reveals that the hacker may have accessed some sensitive customer information. So some precautions should be taken, for people who would have stored “seed phrases” of cryptocurrency wallets through this service.
LastPass password manager hacked
On Thursday, LastPass password manager teams reported that a hacker had gained access to sensitive data compromised in a leak on August 25:
“Based on our investigation to date, we have learned that an unknown malicious actor accessed a cloud-based storage environment by exploiting information obtained from the incident we previously disclosed in August 2022. “
A password manager allows, as the name suggests, to store all of one’s passwords, and to easily generate new, highly secure ones. The LastPass database, which was hacked, contains the personal information of customers stored in their safe. Since the safe can contain all kinds of data, such as identity documents or private keys to cryptocurrency wallets, this data is now subject to leakage.
As the safes are secured by passwords that are not stored by LastPass, the company says that the data they contain is still supposedly secure, as long as the password is not found.
However, one investor believes that LastPass would be failing to disclose the full extent of the situation, as four of his secondary wallets, whose seed phrase he stored on the app, have been emptied:
I think the situation at @LastPass may be worse than they are letting on.
On Sunday the 18th, four of my wallets were compromised. The losses are not significant.
Their seeds were kept, encrypted, in my lastpass vault, behind a 16 character password using all character types.
– path.eth 🛡️ (@Cryptopathic) December 23, 2022
While the victim reassures that the losses are not significant, he insists that the password to his safe was not used anywhere else, and that its complexity rules out the possibility of a “brute force attack” being cracked.
What to do if you use LastPass
Given the sensitive data that may be hidden behind all of these passwords, you should not trust LastPass’ public communication alone.
If you were storing seed phrases from crypto wallets on this service, it would be wise to transfer all of these funds to a different private key address as a precaution.
Changing the master password to access the vault will not suffice, as the current password would remain the same on the stolen database, and the hacker(s) could still access the information stored on it.
It would therefore be prudent to change your password manager, but above all to reset all the passwords of all your accounts considered as “sensitive”. For two-factor authentications (2FA) hosted on the application, they should also be reset to use another service.
While this data leak is far more serious than LastPass claims, it should also be taken into account that any credit cards or identity documents that were stored in these safes could also be at risk.