Bye Bye Bitcoin
Last year was not good for LastPass, with an initial breach occurring in August to grab data which seems to have provided the tools for a far more serious breach in November. The second breach allowed the attackers to harvest encrypted and plaintext data for more than 25 million LastPass users. At the time LastPass assured their customers that there was no way for attackers to defeat the 2FA protection they make use of, in the incredibly unlikely event that the attackers could even unencrypt the data they stole. A pattern has emerged which suggests that may not be true.
According to the story over at Slashdot, since that second breach over 150 LastPass users have had a significant amount of cryptocurrency stolen, somewhere in the neighbourhood of $35 million. These thefts seem to follow a pattern, hitting long time cryptocurrency investors who are described as security conscious. The researchers who spotted the pattern became suspicious when they noticed a lack of the usual precursors to the theft, no email breaches nor the theft or impersonation of the persons cellphone. The one thing they all have in common is a breached LastPass account.
This isn’t absolute proof that LastPass passwords are being cracked but it certainly raises the possibility.