The white hat organization Security Alliance (SEAL) has warned users of LastPass to promptly relocate their cryptocurrency if their private keys have been stored on the platform since December 2022 or before.
In a recent turn of events, the infamous LastPass hackers have potentially spoiled the holiday season for 40 more victims by misappropriating $5.36 million worth of assets from LastPass users—merely eight days prior to Christmas.
LastPass experienced a significant data breach in December 2022, when cybercriminals managed to extract a backup of user vault data from its encrypted storage.
As of September, it was reported that over $35 million in cryptocurrency had already been stolen. When considering the latest theft of $5.36 million alongside a prior incident from October 25 involving $4.4 million, the total amount stolen nears $45 million.
The latest incident involved the stolen funds being converted into Ether (ETH), currently trading at $3,948.70, and was sent to various instant exchange platforms, according to blockchain investigator ZachXBT, who shared the news with his 48,400 Telegram followers on December 17.
ZachXBT provided on-chain evidence of the latest LastPass-related thefts through the crypto scam reporting site Chainabuse.
This serves as a critical reminder that any private keys or seed phrases stored in the LastPass password manager prior to 2023 are vulnerable, as emphasized by the white hat hacker group SEAL in a post on X on December 16, stating:
"Transfer your assets before hackers take them for you."
In addition to cryptocurrencies, a considerable amount of non-crypto funds has also been lost, with estimates indicating that approximately $250 million was stolen in May due to "tens of thousands of thefts," as noted by blockchain investigator Tay on X.
Both SEAL and Tay are part of a broader community of crypto advocates urging former LastPass users to transfer their assets out of LastPass before it becomes too late.
December: A Time for Increased Cyber Threats
The recent surge in LastPass hacking incidents coincides with a rise in scams as the Christmas season approaches.
The blockchain security firm Cyvers has pointed out that "hacker season" is officially here, advising everyone to be cautious and not trust anything that appears excessively festive. They also warned users not to disclose their two-factor authentication (2FA) codes and to steer clear of public Wi-Fi networks.
In a similar alert, Meta, the parent company of social media platforms such as Facebook, Instagram, and WhatsApp, has issued warnings to its users regarding various scam campaigns aimed at holiday shoppers. These campaigns include fraudulent promotions for Christmas gift boxes, fake holiday decoration sales, and counterfeit retail coupons.
Scammers within the cryptocurrency sphere may be attempting to recover losses incurred earlier this year, particularly after phishing-related thefts decreased by 53% month-over-month in November, totaling $9.3 million.
