Readers like you help support MUO. When you make a purchase using links on our site, we may earn an affiliate commission. Read More.

Hardly a week goes by without news of a data breach hitting the headlines. Real consequences are seemingly rare, and successful attacks so common that it's almost tempting to ignore them and carry on as normal. But the LastPass data breach of 2022 saw criminals accessing entire password vaults, leading to a series of increasingly implausible denials from the company.

Now, it appears that the LastPass hack has led cybercriminals to steal over $35 million in cryptocurrencies.

What Happened in the 2022 LastPass Data Breach?

If you're conscious of the need to keep your online accounts safe, you need a password manager. Instead of memorizing strong passwords yourself or reusing the same password for everything (which we advise against), a password manager generates login credentials for you, and stores them in an encrypted online vault.

With a good password manager, you can unlock your vault using a master password—allowing the password manager to use a site-specific set of credentials to log you in.

When you come to rely on a password manager, you entrust it with your email, your online banking, your store rewards scheme, and yes, your crypto wallet.

Hackers breached LastPass in August 2022, and despite repeated reassurances from the company over several months, LastPass admitted in December 2022 that personal user data along with encrypted password vaults had been stolen. Around that time, MUO began receiving emails from LastPass customers claiming criminals were actively using their credentials.

Despite online speculation, and unsubstantiated reports that criminals were able to break into downloaded password vaults, LastPass continued to placate customers with statements that it would take millions of years to crack the master password.

Similar to earlier statements from LastPass, it's now emerging that this may not be entirely true, and a trail of suspicious transactions points to evidence that data taken from LastPass vaults is being used to steal digital assets.

How Criminals Are Using Stolen LastPass Credentials

A group of gold cryptocurrency coins on top of black stones

To log into your bank account, you typically need more authentication than a simple password. Usually, your bank would require you to use a dedicated app, SMS verification, or another method of multifactor authentication.

This isn't true of crypto wallets, usually secured using a seed phrase of 12 or more words which give you complete and unrestricted access to crypto funds, private keys, and transactions. Armed with nothing but this series of words, an attacker can quickly and easily siphon your funds into the ether.

But a long series of random words can be just as difficult to remember as a particularly tricky password, and many people store these in their password manager vaults. And, as The Verge reports, that's great news for hackers, who seem to have stolen millions of dollars in crypto.

Nick Bax, director of analytics at Unciphered, has been reviewing a huge quantity crypto theft data unearthed by Metamask's Taylor Monahan and other researchers. In September 2023, he told KrebsonSecurity that criminals had moved crypto "from multiple victims to the same blockchain addresses, making it possible to strongly link those victims."

After identifying and interviewing victims, he concluded that the only common factor was that they used LastPass to store their crypto seed phrases.

Bax is now urging any friends and family who use LastPass to change all their passwords and migrate any crypto that may have been exposed.

Change All Your Passwords Immediately

Criminals have had plenty of time to use stolen encryption keys to open stolen password vaults.

While it makes sense that thieves would target easily transferable crypto assets first, it's also likely that they have already revealed all of your stored LastPass passwords. They're under no time constraints, and will eventually get around to less valuable resources.

While they may not directly target email accounts, PayPal wallets, or banks, these assets can be packaged and sold to other criminal third parties.

If any of the passwords stored in a LastPass vault prior to 2022 are still in use, you should change them immediately.