LastPass hack - move your crypto assets to a more secure place right now!

[Minor Miner]

This is a wake up call if you've ever stored sensitive info like crypto keys on LastPass or similar services.  You gotta move your assets to a more secure spot, like a hardware wallet or something.  Seriously go do it! This stuff keeps happening over and over again. Don't be the next victim!

LastPass password manager is closed source and I don't know why someone would trust such app with the safe storage of his/her seed phrase, private keys and other sensitive information. I could store my login details of websites in a password manager but what I will not do is to store the seed phrase of my wallet in it. Even if LassPass were to be an open source application, I'm totally against the idea of storing the seed phrase online. I don't know how difficult it is for people to just write down their seed phrase on a piece of paper and keep it safe.

Lastpass is a password manager that keeps getting hacked every year, but it's baffling that so many people still choose it.

I agree with you, whether open source and confirmed safe or never hacked, but using online storage platforms to store seed phrases is a bad idea. I don't know what method people use to store it, but in my opinion, it's best that Seed Phrase is always stored offline. There is no guarantee those online platforms will never be hacked. Password managers should only be used to store simple passwords, they should not be used to store extremely important things like seed phrases.

[1715525329]

1715525329

[1715525329]

1715525329

[1715525329]

1715525329

[TranTrongit]

Nobody should be using an online password manager; especially when it comes to sensitive information like private keys. There is no reason to trusting intermediaries when you have cryptography. Install KeePassXC on both your main computer and your mobile. Use a strong password to encrypt both password databases. Back them up. Both the databas(es) (digitally) and the encryption pass (on paper).

I'm on an iphone and do you have any app suggestions for iOS devices since I don't see KeePassXC for iOS or Android?

[Dr.Bitcoin_Strange]

So LastPass is that password manager where you can store all your passwords and stuff securely online. 

So, what's this now? (Rhetorical). Anything that is usually online is not safe because it can easily be breached. Just one mistake, and those hackers will gain access to the security that can make them steal a whole lot of money, like they have done from LastPass. Ledger Hardware Wallet tried to introduce the cloud storage of private keys, but after receiving some criticism, they did not further the plans again. But according to what I read on Cointelegraph, they (ledger hardware) were supposed to roll out a cloud-based private key recovery tool this month, which I don't intend to use that wallet due to their crazy idea. Who knows if they will also get back one day because of that new invention?

The safest way to secure an asset is to keep every bit of their secret information offline. Create your Bitcoin address and generate your private key or secret phrase on an AirGap device, and let it only be your cold storage wallet.

[selezneve]

This is just the beginning, such incidences will only rise from here. Hackers are targeting everything related to crypto that can be targeted in bulk. This is because even old people are associated with crypto and they are easy target of these hackers.

[Sarah Azhari]

So LastPass is that password manager where you can store all your passwords and stuff securely online. 

There is nothing too good when keeping the asset online. whatever it's; data, password, money, and especially crypto, there is no point when we still keep and believe the application online. the example above (LastPass) is a small thing that we often hear. So when you are active on media social, you will hear more than above. Many users on media social did not exploit it because they were embarrassed and didn't want to look stupid. They still believe the cloud or any application password online is saving them from oblivion, but in fact it is not really safe instead it makes him lose even more.

I don't know why people today are so lazy to write down passwords on paper, even if it's safer and they don't need money to subscribe to the application.

[Kryptowerk]

Bad news, folks! I just saw this article about how a bunch of LastPass users got hacked and lost millions in crypto.  So LastPass is that password manager where you can store all your passwords and stuff securely online.  But they got breached last year when someone stole an employee's credentials. and  Since then, hackers have been targeting LastPass users who might kept their crypto wallet info on there - private keys, seed phrases etc. 

According to the article, at least 25 LastPass users were hit and the hackers made off with about $4.4 million in crypto across different blockchains - Bitcoin, Ethereum, BNB Arbitrum, Solana, Polygon.. and users wallets got completely cleaned out in just one day.  Can you imagine logging in one day and seeing your entire crypto portfolio gone?!

This is a wake up call if you've ever stored sensitive info like crypto keys on LastPass or similar services.  You gotta move your assets to a more secure spot, like a hardware wallet or something.  Seriously go do it! This stuff keeps happening over and over again. Don't be the next victim!

LastPass Hack Victims Lose $4.4M in a Single Day


https://x.com/zachxbt/status/1717901088521687330?s=20

This is sad but whoever stores their crypto backups / seeds / passwords to wallets etc in an ONLINE password manage totally misunderstood tthe self-custody aspect of crypto / Bitcoin.
I still believe password managers do have some value - for throwaway logins or stuff that is just very convenient to access via some basic account. Anythign related to your identity or any real value does not belong there however.

Also, I do believe there are hardware solutions - didn't Trezor have a built-in password manager? Not sure if they continued this service, though

[Ale88]

I've been using a password manager for years (not LastPass by the way) because it's extremely useful, every time I need some kind of information it's right there, and I never had any problem. The only thing I would never store, no matter how much I trust the app, is the seed, it's just not worth taking such a big risk. If they steal the info some credit card info, ok, no problem, I'll get a refund, but if they steal your seed we all know how it ends.

[YUriy1991]

Good early warning from you OP.

Yes. It makes people very disappointed. I am 100 percent sure at this time There is no single system that is proven to be safe. Whatever that is. The mistake many people make is placing too much trust in recommendations and reviews written about a product.

Well, when it comes to online wallet services today, like those built into most exchanges, there is always a risk that the service will go out of business or steal our funds and claim that we revoked them.

[adaseb]

It’s not only lastpass that you should avoid storing anything sensitive. Even having your passwords saved on your browser is risky because anyone with access to the computer whether remote or physical can easily uncover them without any additional passwords.

You really are better off just keeping your passwords in a diary somewhere in your house pretty much. Sure they are handy those password managers but all it will take is some bug and everyone’s private info can be stolen and leaked.

[FinneysTrueVision]

Cloud storage is a really bad idea when it comes to backing up your Bitcoin private keys. There are many wallets which offer to back up your encrypted seed in the cloud but it is completely unnecessary. Your seed phrase written on paper or a metal plate and kept in a safe place is all you need to be able to restore access to your funds.

For password management there are much better solutions than LastPass including open source self-hosted options. Passwordless logins are even starting to become a thing.

[Wind_FURY]

Nobody should be using an online password manager; especially when it comes to sensitive information like private keys. There is no reason to trusting intermediaries when you have cryptography. Install KeePassXC on both your main computer and your mobile. Use a strong password to encrypt both password databases. Back them up. Both the databas(es) (digitally) and the encryption pass (on paper).

I never used LastPass, I was actually very surprised that their app doesn't let their users store their data locally. Or do they, and online storage is merely one of its features for convenience and accessability?

But OK, I would probably use something like that for hot-wallets containing small amount amounts of Bitcoin for playing Craps in a casino, but never for storing my Bitcoin life-savings.

[davis196]

I don't use LastPass. I don't even keep important passwords in my browser's password manager.
All the important passwords are stored in my head. LastPass being hacked proves that you can't trust any centralized entity with your sensitive information. It's weird that LastPass was hacked last year, but I haven't heard anything about this event.
There must be a way for the victims of this hack to find out who emptied their wallets. I'm sure that the police will find the hackers sooner or later.

[NotATether]

Lastpass does PBKDF2 on your password before storing it so if your Lastpass settings had at least 100k rounds (the default since like 2018, and also the value before the breach happened) configured and you used a super-strong password, or even a mildly strong password, it will take centuries for hackers to break into your vault.

It is likely that the hacked accounts were using some lower rounds of PBKDF2 - for a long time, Lastpass had it set to about 5000 or something, and then raised the default value over the years. Now it's 600k, but that's hardly relevant as the vaults have been stolen already.

Also if you even think about storing sensitive things like seed phrases online, you better encrypt it with a second layer of encryption such as GPG. There's no way anyone is ever going to break through that if you secure it properly. But still move your funds anyway if you can do it safely.

[aoluain]

✂️
 So LastPass is that password manager where you can store all your passwords and stuff securely online. 
✂️

Can you imagine logging in one day and seeing your entire crypto portfolio gone?!

✂️

It certainly does keep happening, I cant believe that firstly someone or a group of
people would offer this service and secondly that other people would actually
use it and put  100% faith into a platform just because they said it was a secure
way to store your info and out of laziness.

I wonder if those people who got hacked had a face palm moment when they realised
the error they made in not taking full control of their info.

[Blitzboy]

This situation is really annoying! This is yet another break, loss, or breach of trust that we are talking about. LastPass was meant to be a stronghold, but it was broken into, and the results were terrible. Thats a lot of crypto lost for nothing. A fake sense of safety? It gets old and annoying hearing about security leaks over and over again.

Because of this event, we need to take a hard look at our security measures and make some changes. Moving assets isnt enough; we need to completely rethink how we do things. Hardware wallets add an extra level of protection and control that is badly needed. People are being seriously asked to step up and protect possessions. We shouldnt be lazy. Lets act, protect, and secure.

[arwin100]

So LastPass is that password manager where you can store all your passwords and stuff securely online. 

There is nothing too good when keeping the asset online. whatever it's; data, password, money, and especially crypto, there is no point when we still keep and believe the application online. the example above (LastPass) is a small thing that we often hear. So when you are active on media social, you will hear more than above. Many users on media social did not exploit it because they were embarrassed and didn't want to look stupid. They still believe the cloud or any application password online is saving them from oblivion, but in fact it is not really safe instead it makes him lose even more.

I don't know why people today are so lazy to write down passwords on paper, even if it's safer and they don't need money to subscribe to the application.

Maybe for some accounts that doesn't deal with any financial matters then we can use those password manager to help us out store our password. But for using it to safekeep our important accounts which our money is there well I really have doubts about future security of those apps since we don't know how they will end up on future so usually on case like this I would rather use notebook and write all important information like password,private key and etc, then put it on my small vault for security. Really to bad there are still people believing its safe since anything could happen on online apps whatever they say its secured and can't get hack.

People should not be lazy regarding dealing on their important accounts so that they would not regret the past actions and will not worry about any hacking especially if something hacking issues like this happen  to a platform.

[Yamane_Keto]

Also if you even think about storing sensitive things like seed phrases online, you better encrypt it with a second layer of encryption such as GPG. There's no way anyone is ever going to break through that if you secure it properly. But still move your funds anyway if you can do it safely.

Adding a second layer of encryption would be good, but for a long time I have thought that the vulnerability is in Chrome extensions or other extensions. They are cute and add features to browsing, but they are bad in terms of privacy, and I honestly do not know how hackers can benefit from services like LastPass if they recommend that users add a second layer of encryption.

I have a theory that they are selling data and covering it up by saying that the service has been hacked.

LastPass password manager is closed source and I don't know why someone would trust such app with the safe storage of his/her seed phrase, private keys and other sensitive information.

People care about synchronization more than whether the service is closed or open source. People want to access all services from all devices without leaving the password for each device.

[NotATether]

Also if you even think about storing sensitive things like seed phrases online, you better encrypt it with a second layer of encryption such as GPG. There's no way anyone is ever going to break through that if you secure it properly. But still move your funds anyway if you can do it safely.

Adding a second layer of encryption would be good, but for a long time I have thought that the vulnerability is in Chrome extensions or other extensions. They are cute and add features to browsing, but they are bad in terms of privacy, and I honestly do not know how hackers can benefit from services like LastPass if they recommend that users add a second layer of encryption.

I have a theory that they are selling data and covering it up by saying that the service has been hacked.

A password manager selling its own vaults which leads to major losses for its own customers? That's a bit far fetched if you ask me, because if that were true, it would certainly mean the end of LastPass (if not already).

As far as extensions go, you need to somehow make sure that first you download the real, authentic version, and I'm not really sure of the process for which to verify the signatures of what you are downloading. At least not for stuff on the Chrome Web Store.

[blckhawk]

Such a disappointing product and service, I know that it's inevitable that breaches will happen but given that they've got breached so easily, it's just disappointing to me as I like the idea of password managers to help you in securing your accounts by having a diverse password without the worry of forgetting the access but it seems that things for me is going to change, you can't trust what they sell anymore, I guess I'm back to using pen and paper storage for my passwords. Christmas came early for these hackers with how much they've stolen from the users of LastPass.

[sokani]

It seems crazy to me why anyone would store such large amount of assets in a password manager
that is widely known to have serious security issues. Do people not read the news?

LassPass is not a wallet so no assets were kept their. They victims stored their seed phrase and private keys on the password manager which was compromised when LassPass got hacked.

I'm on an iphone and do you have any app suggestions for iOS devices since I don't see KeePassXC for iOS or Android?

I just went through KeePassXC website and it's not supported on mobile. KeePass, Padloc and Passbolt are open sourced password managers that are available on mobile versions. You can use them to save your passwords but I wouldn't advise you to save your seed phrase or private keys on them. For maximum security, anything seed phrase or private keys should be kept offline.