Security warning over cryptocurrency wallets protected with LastPass passphrase

People who use the password manager, LastPass, to secure their online accounts must take immediate action and change their passwords after a recent, major hack. And if people secure their cryptocurrency accounts or wallets using LastPass, they must urgently create a completely new account as quickly as possible and move the virtual money there, cautioned Daan Keuper, the Dead of Research at cybersecurity firm Computest in Zoetermeer.

“That is the only way to secure your bitcoins,” Keuper said.

The attack on LastPass came to light last year. Hackers managed to gain access to a WiFi connection in an employee’s home. In this way, they intercepted the passwords that the employee used to log in. This provided access to the American company’s internal systems.

The hackers could then access the raw data related to LastPass users’ saved passwords. These codes are encrypted and cannot yet be used, but for some users it turned out to be possible to break the encryption. In that case, the hackers could gain access to all of those users’ accounts at once.

According to Keuper, it appears that the attackers have already succeeded. “Bitcoins are being stolen everywhere from LastPass users. So far, it appears that approximately 30 million euros worth of bitcoins have been stolen.”

Cryptocurrency accounts are often protected with a password, and as additional protection they utilize a code of 12 or 24 randomly selected words known as a “seed phrase.” Those words can be used to regain control over an account if access is ever lost. The words are automatically created when someone opens an account and cannot be changed.

Everyone who has thus far fallen victim to the bitcoin heist had a passphrase stored in LastPass, and their data may have wound up in the wrong hands. “If malicious parties manage to crack the passphrase, they can siphon off the money, even if you have changed the password.”