Researchers found that almost every victim was a LastPass user.
More than $35 million has been stolen from over 150 victims since December — ‘nearly every victim’ was a LastPass user::Security experts believe some of the LastPass password vaults stolen during a security breach last year have now been cracked open following a string of cryptocurrency heists
These guys saved their seed phrases to LastPass, not just account passwords. You can't just change your seeds without moving funds to a new wallet.
The main lesson here is never store your seeds in digital form, ever. Write it down by hand on paper at creation and then take additional efforts to safeguard it.
instead of using a password manager managed by a PRIVATE ENTITY people should start using bitwarden ... its opensource, free and much more secure and reliable
Man am I glad that I picked KeypassXC as my password manager some years ago. Super safe, easy to use, costs nothing, not dependant on internet/cloud, can export data to another app at any time, transparent because open source.
I'm using Syncthing to synchronize across devices which arguably took some fiddling to set up but I only had to fiddle once and haven't touched the configuration since; it just works automagically in the background.
I know Lemmy's classic "Google bad" but you know what? Google's password manager and authenticators never lost my passwords, never charged a subscription, didn't require me to invest money and effort into self hosting, never leaked, never disappeared, and always worked perfectly on any device within seconds of logging into my account.
Cybersecurity blogger Brian Krebs reports that several researchers have identified a “highly reliable set of clues” that seemingly connect over 150 victims of crypto theft with the LastPass service.
Taylor Monahan, lead product manager at crypto wallet company MetaMask and one of the key researchers investigating the attacks, concluded that the common thread connecting the victims was that they’d previously used LastPass to store their “seed phrase” — a private digital key that’s required to access cryptocurrency investments.
These keys are often stored on encrypted services like password managers to prevent bad actors from gaining access to crypto wallets.
We have reached out to LastPass to confirm if any of the stolen password vaults have been cracked and will update this story if we hear back.
Researcher Nick Bax, director of analytics at crypto wallet recovery company Unciphered, also reviewed the theft data and agreed with Monahan’s conclusions in an interview with KrebsOnSecurity:
“I’m confident enough that this is a real problem that I’ve been urging my friends and family who use LastPass to change all of their passwords and migrate any crypto that may have been exposed, despite knowing full well how tedious that is.”
The original article contains 363 words, the summary contains 196 words. Saved 46%. I'm a bot and I'm open source!
I mean, they've had more than long enough to change passwords.
Nobody is after your password for the Moravian rug weaving forum but in this day and age it's on you, if you know there's a breach and you don't change your banking / crypto passwords.
I don't understand saving your passwords to the cloud in the first place
It is like storing all the passwords in one convenient place that can be accessed from any location on the planet, making it the most convenient and juicy target for hackers.
After years as a family plan subscriber, I moved my personal (1k+) passwords off of LP after the last -- and most egregious -- breach. I have quite a bit self hosted in my environment but Proton Pass interests me as I can get my wife and son in it easily as we already have the family plan.
Lemmy is loaded with tech savy, so my question is; same devil different form? I've tried BW but it wasn't condusive to the whole familys use (at least not a few years ago).
All that promotion/awards tagging as best password manager for nothing.
Glad I picked up KeyPassXC and KeyPassDX and sync between my phone and PC with gdrive
Anybody serious about security wouldn't store vital passwords online in the first place. The convenience isn't worth it when whatever company is used gets hacked because an intern got phished.