LastPass Hackers Cracking Password Vaults - Experts Warns

Over the past year, cybercriminals have been able to gain access to third-party cloud systems and use them to access LastPass customer data, including password vaults. Apparently, the attackers are now cracking such password vaults to gain access to certain accounts.

As reported by Brian Krebs, product manager Taylor Monahan of MetaMask, a popular Ethereum crypto wallet, along with other IT researchers, investigated around 150 incidents in which criminals stole more than $35 million in cryptocurrencies. In doing so, they found clear evidence that cracked LastPass password vaults made this possible.

Taylor Monahan is lead product manager of MetaMask, a popular software cryptocurrency wallet used to interact with the Ethereum blockchain. Since late December 2022, Monahan and other researchers have identified a highly reliable set of clues that they say connect recent thefts targeting more than 150 people, Collectively, these individuals have been robbed of more than $35 million worth of crypto. - Brian wrote.

LastPass Vaults Passwords are encrypted, but URLs don't

LastPass had stated that the threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data. 

These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture.

However, since LastPass did not follow the recommendations of OWASP and only used about a third of the repetitions of the Password-Based Derivation Function 2 (PBKDF2) that should ideally be used, the manufacturer makes it a little easier to crack the master password. 

According to Monahan, all of the affected persons she served were long-term crypto investors with IT security awareness. None of them have noticed attacks that usually start such crypto robberies, such as the compromise of email accounts or smartphones. The victims are employees of renowned crypto organizations, venture capital firms, and those who have co-developed decentralized finance (DeFi) protocols, as well as providing contracts and even operating nodes.

Seed phrase as a universal key

What all victims have in common, however, is that they had previously used LastPass to store their "seed phrase", the private key to access their crypto assets. The seed phrase allows anyone to access the cryptocurrency holdings associated with the key and move them to any destination. Therefore, security-conscious crypto investors either use password managers for secure storage or even encrypted hardware devices.

Unciphered's head of analysis, Nick Bax, told Krebs that seed phrases are literally money. If someone copies them to a crypto wallet, they have access to all linked accounts. With his own analysis, he comes to the same conclusions as Mohan.

The IT researchers have published findings on the striking similarities in the way the victims' funds were stolen and laundered through certain cryptocurrency exchanges. They also found that the attackers often grouped victims together by sending their cryptocurrencies to the same crypto wallet.

LastPass has not commented to Krebs on these incidents, citing ongoing investigations into last year's incidents. LastPass users are strongly encouraged to renew their passwords for all managed accounts in light of the current threat.