A new wave of cyberattacks has hit LastPass users, with hackers stealing over $5.36 million from cryptocurrency wallets just days before Christmas. The Security Alliance (SEAL), a white-hat cybersecurity group, is urging users to transfer their crypto assets if they stored private keys on LastPass before 2023.
The warning comes after a December 2022 data breach allowed attackers to access encrypted backups of customer vaults, exposing sensitive information like private keys and seed phrases. Blockchain investigator ZachXBT, who reported the latest attacks, revealed that the stolen funds were converted to Ether (ETH) and moved through various instant exchanges.
The Growing Toll of LastPass Breaches
The LastPass breach has caused significant financial damage over the past year. As of September, more than $35 million worth of crypto had been stolen. Recent incidents, including a $4.4 million hack in October and the latest $5.36 million theft, bring the total losses closer to $45 million.
The impact extends beyond crypto. In May, an estimated $250 million was stolen from non-crypto accounts in what blockchain investigator Tay described as “tens of thousands of thefts.” These events highlight the ongoing risks for users who stored sensitive information on LastPass before the breach.
Experts Urge Immediate Action
SEAL and other cybersecurity advocates stress the need for urgent action. They warn that any private keys or seed phrases stored on LastPass before 2023 remain vulnerable. In a Dec. 16 message, SEAL advised: “Move your assets before hackers move them for you.”
Experts are also calling for increased vigilance among users, especially those in the crypto space. With hackers continuing to exploit stolen data, transferring funds to secure wallets is critical to avoid further losses.