On April 15, a crypto holder took to Reddit claiming he lost $50,000 worth of cryptocurrencies following an alleged exploit on LastPass.
Crypto holder lose $50,000 worth of tokens
LastPass is a password management tool that makes it easier for people to save, among other sensitive data, details of their passwords, logins, and even card numbers.
The crypto holder, who runs the password management tool on his Windows 7 desktop and Samsung Galaxy smart phone, used the software to store his tokens’ private keys. Two of his wallets had not been installed on his desktop, which runs a deprecated operating system, but instead on his smartphone.
It is not immediately clear which version of the Samsung Galaxy series the crypto holder used. However, he claims that his wallets were certified secure by their creators and there was no malware on his phone. For this reason, he is convinced that the vulnerability is highly likely on LastPass.
After the hacker accessed his private keys to his crypto wallet, all tokens, worth $50,000, were converted to bitcoin (BTC) through an in-built feature provided by the wallet provider. Bitcoin is the world’s most liquid digital asset by market capitalization.
In cryptocurrency, wallets are critical for storing tokens or coins and interacting with the mainnet. A private key is used to prove ownership and for signing transactions. In this case, the crypto holder used LastPass to store private keys to which another unauthorized third-party got access and transferred assets to their custody. The immutable nature of crypto transactions means the crypto holder has permanently lost access to his assets. The only way is if the hacker has a change of heart and sends back coins.
The LastPass hack
The victim now wants LastPass to investigate this hack so that it can be prevented in the future. Last year, LastPass was hacked, and all their vaults stolen. Out of this, there had subsequent hacks affecting even some of the firm’s senior executives.
In early March 2023, LastPass said one of their senior engineer’s home computer had been hacked, most probably using credentials from the 2022 hack. From this hack, LastPass said hackers got access to confidential corporate vaults. They reportedly had encryption keys to vaults of 30 million customers backed up on Amazon Web servers.