LastPass hack - move your crypto assets to a more secure place right now!

[Iron Fist]

Bad news, folks! I just saw this article about how a bunch of LastPass users got hacked and lost millions in crypto.  So LastPass is that password manager where you can store all your passwords and stuff securely online.  But they got breached last year when someone stole an employee's credentials. and  Since then, hackers have been targeting LastPass users who might kept their crypto wallet info on there - private keys, seed phrases etc. 

According to the article, at least 25 LastPass users were hit and the hackers made off with about $4.4 million in crypto across different blockchains - Bitcoin, Ethereum, BNB Arbitrum, Solana, Polygon.. and users wallets got completely cleaned out in just one day.  Can you imagine logging in one day and seeing your entire crypto portfolio gone?!

This is a wake up call if you've ever stored sensitive info like crypto keys on LastPass or similar services.  You gotta move your assets to a more secure spot, like a hardware wallet or something.  Seriously go do it! This stuff keeps happening over and over again. Don't be the next victim!

LastPass Hack Victims Lose $4.4M in a Single Day


https://x.com/zachxbt/status/1717901088521687330?s=20

[1714328602]

1714328602

[1714328602]

1714328602

[1714328602]

1714328602

[1714328602]

1714328602

[1714328602]

1714328602

[BlackHatCoiner]

Nobody should be using an online password manager; especially when it comes to sensitive information like private keys. There is no reason to trusting intermediaries when you have cryptography. Install KeePassXC on both your main computer and your mobile. Use a strong password to encrypt both password databases. Back them up. Both the databas(es) (digitally) and the encryption pass (on paper).

[tjtonmoy]

I have once backed up my phrase key in an online notepad platform called Evernote. I have used it for a couple of months and after some time my wallet was hacked. Some kind of script or something was implemented in my wallet. Every time I try to deposit any native token like ETH, BNB or BTC, they were automatically sent out to a specific wallet address that belongs to the hacker. After that I have done my research and found out that it is highly risky to keep any backup online.

Everything that is related to internet, anything could happen to them at any time. Doesn't matter how secure it is or how much you trust the platform, it is not 100% sure that nothing will happen to them. Not your key, not your coin. So how can you trust your key to someone else. Online platforms are not immune to hacking. No matter how much secure it is if the right person chooses to hack it then of course he can. So be aware and make offline backups.

I don't have any online backup of my phrase key. So I have nothing to worry about.

[The Cryptovator]

Each of us would have a different view, but I think it will be a stupid decision to store your cryptographic credentials with a third party. I don't believe any third party when it's related financially. I don't even feel comfortable using a custodial wallet. Why should we hand over our wallet credentials to a third party? Can't we write our wallet credentials in our personal notebook? If we can't secure our wallet credentials, then we don't have the right to use crypto. There are many trusted non-custodial wallets, but we need to secure the seed phrase. Otherwise, we can't secure our funds anyway. However, this is a lesson and an important notice for crypto users. Just avoid such actions.

[Odohu]

The first thing anyone venturing into Internet related business should learn is security. By security, the issue of centralized and decentralized platforms should be taken seriously.  This hack have just proven once again that centralized platforms are not safe no matter how one view it.

I honestly wonder how someone will save sensitive information in am online platform. Anything connected to the Internet is already at risk, how much sensitive information that are willingly given to a third party.

Well, their loss is a lesson to others and I hope they recover the funds.

[bitmover]

LastPass is hacked every year or so. I don't get why do people usee such a software without doing any kind of research

LastPass is not safe.

https://www.pcworld.com/article/1419901/lastpass-got-hacked-again-and-this-time-your-data-got-taken.html

 An investigation has so far revealed that the breach stemmed from knowledge gained during the August 2022 incident, and that “certain elements of customers’ information” have been accessed.

..

LastPass has suffered hacks of its service in previous years, with notable incidents including 2015’s unauthorized access of user account email addresses, password reminders, and authentication hashes. Other security lapses include 2017’s browser extension vulnerability, which allowed websites to steal passwords. In 2019, the same security researcher who discovered the 2017 issue also discovered another browser extension vulnerability that allowed the last used password to be leaked. The company has even made communication bumbles, like security alert emails sent to customers unaffected by a credential stuffing attack.

And the list goes on!

I am now using ProtonPass, which i believe is  a more serious company. But nobody should store seeds or private keys in a password manager.

[Charles-Tim]

With how LastPass has been since many months ago after hackers was able to have access to millions of users encrypted backups, some people were still thinking something like this will not happen.

Probably many of the encrypted backups have been decrypted.

This has began since August 22, 2022 and now finally.

https://www.kiplinger.com/personal-finance/lastpass-hack

Do not trust online backups because anything online can be hacked. Offline backups are secure enough.

[AmoreJaz]

Each of us would have a different view, but I think it will be a stupid decision to store your cryptographic credentials with a third party. I don't believe any third party when it's related financially. I don't even feel comfortable using a custodial wallet. Why should we hand over our wallet credentials to a third party? Can't we write our wallet credentials in our personal notebook? If we can't secure our wallet credentials, then we don't have the right to use crypto. There are many trusted non-custodial wallets, but we need to secure the seed phrase. Otherwise, we can't secure our funds anyway. However, this is a lesson and an important notice for crypto users. Just avoid such actions.

people need to learn their lessons the hard way before they will come into their senses that using third party platforms is not the way to secure their funds or any other asset. it is always best to have total control of your assets by using noncustodial wallets. if you think you can't secure your seed phrases or passwords, maybe this asset is not for you. this is why i believe, a lot are still opting to use traditional banks because they don't want to be responsible in the security of their funds, and someone is taking care the storage for them.

[BitMaxz]

I have once backed up my phrase key in an online notepad platform called Evernote. I have used it for a couple of months and after some time my wallet was hacked. Some kind of script or something was implemented in my wallet. Every time I try to deposit any native token like ETH, BNB or BTC, they were automatically sent out to a specific wallet address that belongs to the hacker. After that I have done my research and found out that it is highly risky to keep any backup online.

That's pretty bad for storing sensitive keys any online site or 3rd party password manager always has risk and is vulnerable to any attacks.
I've used Evernote before for SEO purposes but not for storing any passwords or keys it makes your notes public or I think the owner of Evernote reads them.

The best storage for saving your seed backup or private keys digitally is by saving them into an offline device like old phones, encrypted USB flash drive or CD/DVD is also good storage if you want to save your keys for a long-term.

[darkangel11]

LastPass is hacked every year or so. I don't get why do people usee such a software without doing any kind of research

LastPass is not safe.

Online password managers are great if you know what you're doing.
Some of the things I've safely used them for:
-burner emails
-news sites that required an account to see the content
-online stores where you can buy without registering, but an account allows me to monitor my package
-sites that I knew I wouldn't use, but wanted to check out

Why wouldn't I use a normal password?
Because I have maybe 4 that I use in different combinations like with dates and special signs and I don't want to compromise them because those are the ones I always remember.
For the rest of them I use generated passwords or things that come to my mind at the time. Say I eat chicken with rice so my password will be chickenrice66 or something like that.
I don't remember these passwords after a week or so, and the password manager comes in handy.

[digaran]

So, people use online services to store their seed phrases/private keys? Ok, why don't you guys just give me your keys, I promise to keep them safe, whenever you wanted to access them, just give me the password, and I will let you access them.

I want to know what is the difference between me and last pass? Fine, I know I can't be there for you 24/7, but the security of your private keys is equal to the security of lastpass, why? Because of human element involved.
How can we educate people about this issue of trusting third parties with their funds? We'll grow white hair and die, people will continue to trust strangers, at least when you teach kids not to go with strangers they'd learn and listen, crypto community is less than kids in learning? Disappointment!

[Stalker22]

The first thing anyone venturing into Internet related business should learn is security. By security, the issue of centralized and decentralized platforms should be taken seriously.  This hack have just proven once again that centralized platforms are not safe no matter how one view it.

I honestly wonder how someone will save sensitive information in am online platform. Anything connected to the Internet is already at risk, how much sensitive information that are willingly given to a third party.

Well, their loss is a lesson to others and I hope they recover the funds.

But it is a password manager! The main thing they are supposed to do is keep people's private stuff safe.  And LastPass was really popular and had a good reputation and tons of users and  so how could they mess up security that bad? I mean sure there are better options like that KeePassXC, but you still gotta trust whoever makes it.  I know its open source so anyone can check the code, but not everyone can do that.

To be honest, I dont even know if there is a viable alternative to a password manager, since we all deal with hundreds of different passwords almost every day.

[headingnorth]

This is why you should not use closed source software for storing any sensitive information like  passwords.

Also why you should never use hardware wallet that is NOT open source such as Ledger hardware wallet, which had at least one or two data breaches in the past.

The moral of the story is -- stay far away from closed source products such as Lastpass and Ledger!

[tjtonmoy]

]
That's pretty bad for storing sensitive keys any online site or 3rd party password manager always has risk and is vulnerable to any attacks.
I've used Evernote before for SEO purposes but not for storing any passwords or keys it makes your notes public or I think the owner of Evernote reads them.

The best storage for saving your seed backup or private keys digitally is by saving them into an offline device like old phones, encrypted USB flash drive or CD/DVD is also good storage if you want to save your keys for a long-term.

Yeah, I know. I have learned it the hard way. There are some other method that I have came up with for storing private key online. Not the best and not the most secure one but it could provide great amount of security against hackers. It is hard to crack. Although I'm not going to reveal my whole secret but I will share another one that could give us the same kind of security.

We have 12 or 24 words in a private key. We can divide them into four or eight parts. We have three words in a group like that. We can easily randomize this group like 4213. After that we just need to remember this sequence of 4213. Then we can add four five or six even ten words between each group. That way we'll have a long list of words. If you put that list on the internet and the sequence is only known to you then it will be hard for any hackers to crack it. So I don't think keeping your private key online is a risk if it's done right.

That way we are immune to lose it and can access it anywhere we go. Because anything that is physical could be destroyed or lost. But multiple online backups could be accessed easily. Although this sounds so easy and theoretically it can't be cracked, I will never suggest anyone to back up their private key online.
I have suffered it so I know how it feels. Recently I am using air gapped device for storing my key and storing my assets.

[sokani]

This is a wake up call if you've ever stored sensitive info like crypto keys on LastPass or similar services.  You gotta move your assets to a more secure spot, like a hardware wallet or something.  Seriously go do it! This stuff keeps happening over and over again. Don't be the next victim!

LastPass password manager is closed source and I don't know why someone would trust such app with the safe storage of his/her seed phrase, private keys and other sensitive information. I could store my login details of websites in a password manager but what I will not do is to store the seed phrase of my wallet in it. Even if LassPass were to be an open source application, I'm totally against the idea of storing the seed phrase online. I don't know how difficult it is for people to just write down their seed phrase on a piece of paper and keep it safe.

[hugeblack]

It is a shame that a service that keeps your private data secure could be hacked in this way. After that, the announcement is from the 25th. Therefore, unless you follow the news, you may end up being the last to know. In general, I do not trust password management programs and it is better to use one of them. Provided that it is not online, that it is open source, and that you can set it up in an environment that will not be connected to the Internet.

[suzanne5223]

Bad news, folks! I just saw this article about how a bunch of LastPass us ers got hacked and lost millions in crypto.  So LastPass is that password manager where you can store all your passwords and stuff securely online. 

LastPass is not a platform to store passwords and stuff secure online, if it was the platform wouldn't have experienced hacks 3 times within 14 months because hackers can only manipulate or tamper platform with no code vulnerabilities or simultaneously upgrade their system but the company used their data encryption and multi-factor authentication options to gain the attention of alot of cryptocurrency investor.

[Broadanbig]

Thank you for this update. People who have saved their keys with lastpass should do the needful immediately to avoid losing their assets. This is yet another case that vindicate the need to saving your keys privately without involving a third party.  From the comments and reply i have read so far, seems the lastpass has been prone to hack and the has been a thing of back  to back hacking reoccurring without any much resistance. Does it mean that they  never bother or care abut the data and details of their users very much important to always be a target of hackers  on a regular basis. Possibly, there must be  rat in the house.

Third parties should not be the right resolution to saving passwords and sensitive information as they can not guarantee their own safety not to talk of customers safety. Many third parties have suffered hack and as a result of that, lost huge amount of funds under their custody and some have not been able to recover form the incidence while some are gradually standing back on their feet. The series of hack should be a lesson to the crypto community to start practicing self savings and self custody of assets and funds.

[bitmover]

LastPass is hacked every year or so. I don't get why do people usee such a software without doing any kind of research

LastPass is not safe.

Online password managers are great if you know what you're doing.

Everyone needs a password manager. There are great and they added much more security,  as they generate passwords automatically.

The problem is that lastpass is not safe by itself.  You want use a password manager. Just don't get the worst one.

[headingnorth]

It seems crazy to me why anyone would store such large amount of assets in a password manager
that is widely known to have serious security issues. Do people not read the news?

I would never use a Ledger again for the same reasons: Ledger is not only closed source but also suffered data breaches in the past.
Ledger was the first hardware wallet I ever used back in 2018 but switched to Trezor last year due to Ledger's widely reported security problems.