Data stolen from the password management app 'LastPass' may be being used to steal virtual currency



In

the source code leak incident of the password management app ' LastPass ' that occurred in August 2022, it was initially stated that 'no evidence of user passwords being stolen' was found, but at the end of November, user data was leaked. was found to have been accessed illegally. Security blog Krebs on Security reports that user passwords stolen from LastPass may have been cracked and used to steal virtual currency.

Experts Fear Crooks are Cracking Keys Stolen in LastPass Breach – Krebs on Security
https://krebsonsecurity.com/2023/09/experts-fear-crooks-are-cracking-keys-stolen-in-lastpass-breach/



Taylor Monaghan, founder of MetaMask , a popular cryptocurrency wallet for the Ethereum blockchain, has reported that Unciphered , a cryptocurrency wallet recovery company, has reported more than 150 incidents of cryptocurrency theft that have occurred since late December 2022. I conducted a survey with Nick Bucks, who is the director of analysis at .

Almost all of the victims investigated by Monahan and others were long-time cryptocurrency investors and people with a strong interest in security. They also didn't see any events that would presage common cryptocurrency thefts, such as email or smartphone compromises. ` `The victim's profile is very impressive. I am.

After analyzing over 150 interviews with victims who lost a total of $35 million (about $5.2 billion) in cryptocurrency, traced back from the wallet to which the stolen cryptocurrency was sent from the victim to other victims, As a common point, it emerged that 'I was using the password management application LastPass'. Monahan and others have stored seed phrases in LastPass for victims to access their cryptocurrency wallets, and the victims' data was found in Vault data stolen during the LastPass data breach in August 2022. I concluded that it may have been included.

``The seed phrase is literally the same as 'money,''' Bucks said. And I can also transfer my funds.”



Launched in 2008, LastPass was able to centrally manage passwords for various accounts with a unique 'master password' and had over 25 million security-conscious users. However, due to a data breach that occurred in August 2022, it was reported that the data in the 'Vault' where users stored passwords was leaked.

It turns out that the password and personal information of the password management application 'LastPass' were stolen - GIGAZINE



LastPass does not store the master password set by the user itself, and the encryption is very strong, so it has been appealing that it is safe against hacking. However, if a hacker gets the encrypted Vault data itself, the hacker can perform a brute force attack that tries a large number of passwords offline, and eventually the master password may be successfully cracked. It is said that there is.

'If a large number of vaults are stolen, they are vulnerable to brute force attacks, especially if information about the vault owner is available,' said Nicholas Weaver, a researcher at Berkeley, California. It will be.”

In addition, security against brute force attacks depends on the number of characters in the master password and the iteration count that specifies the number of calculations when generating the secret key from the password. LastPass increased the minimum length of the master password to 12 characters in 2018 and increased the default iteration count many times, but it never forced existing users to change the master password or iteration count. thing. Therefore, it seems that older users whose master password can still be set with 8 characters and whose default iteration count is small are more vulnerable to brute force attacks.



LastPass did not respond to inquiries from Krebs on Security about the series of issues, citing ongoing law enforcement investigations and litigation into the 2022 data breach. 'Since last year's attack on LastPass, we have been in constant contact with law enforcement,' LastPass said in a statement.

The LastPass data breach was caused by a highly complex targeted attack on the home PCs of employees who had access to Vault data. It turns out that the hacker exploited a vulnerability in the media server the employee was running on his home network and planted keylogger malware on his PC to steal the employee's master password and access his LastPass Vault data. doing.

Information leakage of password management application 'LastPass' is caused by employee's home PC hacking - GIGAZINE



in Software,   Web Service,   Security, Posted by log1h_ik