Last year, cybercriminals were able to gain access to third-party cloud systems and access LastPass customer data, including password vaults. Apparently, the attackers are now cracking such password safes in order to gain access to certain accounts.
As Brian Krebs reports, product manager Taylor Monahan of MetaMask, a popular Ethereum crypto wallet, along with other IT researchers, investigated around 150 incidents in which criminals stole more than $35 million in cryptocurrencies. They found clear evidence that cracked LastPass password vaults made this possible.
LastPass Password Vaults: Passwords are encrypted, but URLs are not
Shortly before Christmas last year, LastPass stated that although the URLs were unencrypted, the usernames and passwords were secured with 256-bit AES. However, the password safes available offline enable unchecked brute force attacks. However, since LastPass did not adhere to OWASP’s recommendations and only used around a third of the ideal repetitions of Password-Based Derivation Function 2 (PBKDF2), the manufacturer makes cracking the master password a little easier. However, users may also have not followed LastPass’s recommendation not to use passwords that are too short and easy to guess. The company also recommended that users who do not use Federated Login Services change the passwords stored with LastPass.
According to Monahan, all of the affected people she served were long-term crypto investors with IT security awareness. Nobody noticed the attacks that such crypto heists usually start with, such as compromising email accounts or smartphones. The victims are employees of renowned crypto organizations, venture capital companies and those that have co-developed DeFi protocols (decentralized finance), provide contracts and even operate nodes.
Seed phrase as a universal key
What all victims have in common, however, is that they had previously used LastPass to store their “seed phrase”, the private key to access their crypto assets. The seed phrase allows anyone to access the cryptocurrency holdings associated with the key and move them to any destination. Therefore, security-conscious crypto investors either use password managers for secure storage or even encrypted hardware devices.
Unciphered’s head of analytics, Nick Bax, explained to Krebs that the seed phrases are literally money. If someone copies them into a crypto wallet, they have access to all linked accounts. With his own analysis he comes to the same conclusions as Mohan.
The IT researchers have published findings about the striking similarities in the way victims’ funds were stolen and laundered through certain cryptocurrency exchanges. They also found that the attackers often grouped victims together by sending their cryptocurrencies to the same crypto wallet.
LastPass has not commented to Krebs about these events, citing ongoing investigations into last year’s incidents. In view of the current threat, LastPass users are strongly recommended to renew the passwords secured with it for all managed accounts.
Go to homepage
#Password #manager #LastPass #hackers #cracking #password #vaults