Explained: The LastPass Hack (December 2024 Update)

In 2022, LastPass suffered a security incident with long-term impacts. Attackers with access to encrypted password vaults have cracked several over the last couple of years, allowing them to steal crypto from users who stored private keys in those vaults. In total, an estimated $45 million has been stolen from crypto users as a result of this breach, including $12.38 million on December 16 and 17, 2024 alone.

Inside the Attack

The LastPass saga began in August 2022, when the company reported a breach, claiming that the leaked information included source code and technical information. At the time, LastPass stated that no customer data had been breached.

Further investigation revealed that the attacker used information from the initial breach to target one of the company’s employees. This provided access to customer data stored in the cloud, including unencrypted metadata and some customers’ encrypted vaults.

In theory, encrypted vaults should be useless to an attacker. However, each vault is encrypted using a Master Password that is selected by the user. As a result, the security of the users’ vaults depends on the strength of the password that they used to secure them. LastPass acknowledged this in their announcement, encouraging users with Master Passwords that don’t follow company recommendations to change the passwords stored in the vault.

The attackers behind the LastPass breach have obviously been working to crack these passwords since the breach. Periodically, crypto has been stolen from wallets in batches as the hackers gain access to private keys stored in these vaults. This could be due to vaults using weak passwords or their owners falling victim to phishing attacks targeting these Master Passwords.

Lessons Learned from the Attack

The LastPass incident was a mix of security best practices and blunders. On the one hand, storing passwords and private keys in a password manager is a good way to protect this sensitive data. While it’s not as secure as a hardware wallet, a password manager stores all credentials in an encrypted format and encourages users to use long, random, unique passwords by eliminating the need to memorize passwords.

While LastPass suffered a breach, the exposure of encrypted password vaults should have been a non-event since encrypted data is unreadable to an attacker. However, the fact that some users selected weak passwords to secure their vaults — or fell prey to phishing attacks targeting those credentials — exposed the contents of these vaults to the attacker.

Private key security is essential to the security of an individual’s or organization’s on-chain accounts. Learn more about best practices for private key security in our blog.