Using Hacked LastPass Keys to Steal Cryptocurrency
Remember last November, when hackers broke into the network for LastPass—a password database—and stole password vaults with both encrypted and plaintext data for over 25 million users?
Well, they’re now using that data break into crypto wallets and drain them: $35 million and counting, all going into a single wallet.
That’s a really profitable hack. (It’s also bad opsec. The hackers need to move and launder all that money quickly.)
Look, I know that online password databases are more convenient. But they’re also risky. This is why my Password Safe is local only. (I know this sounds like a commercial, but Password Safe is not a commercial product.)
Winter • September 18, 2023 9:57 AM
There is something to say for being more careful with the seed to your bitcoin/Ethereum wallet containing millions of dollars of value than with some random utility password.
However, the suggestion to use a “locally” stored password safe is not for everyone. Getting such a password safe to synchronize over the internet is non-trivial[1] and being excluded from an important site after you just set a 36 character random password from home/workplace just because you are currently working from workplace/home can truly ruin your day. So I still stick to an online password safe.
But if you read the example from Brian Kreb’s article of a Lastpass user with more than $3M in cryptocoins, I have to shudder:
An 8 character password for $3M+ in value? Please, memorize a nice 30+ character phrase that is not in the internet and that you never searched for [2].
The fault with Lastpass is not so much in their product, but in not getting people to choose better passphrases. Which, BTW, is Brian Kreb’s main criticism of Lastpass, by quoting Wladimir Palant:
[1] I have tried, and failed several time.
[2] All search phrases are archived and for sale.