Readers like you help support How-To Geek. When you make a purchase using links on our site, we may earn an affiliate commission. Read More.

It's been almost a year since LastPass, one of the most widely used password managers out there, suffered a catastrophic security breach that all but eroded confidence in the service — and the company's prestige with the tech community at large. While it was looking like the worst has already happened, it now appears the consequences are more far-reaching than we initially thought, thanks to a series of thefts that are pointing to the breach as the likely culprit.

Since the breach was disclosed, a series of cryptocurrency thefts have taken place over the months following the breach. These heists have targeted security-conscious people and have been documented by Taylor Monahan, the lead product manager of MetaMask (one of the top local cryptocurrency and NFT wallets, mostly used for the Ethereum blockchain). So far, the thefts have targeted over 150 people, which have been robbed of over $35 million worth of crypto. The root cause behind these thefts was mostly unknown, but now, Monahan mentioned that nearly all victims had previously used LastPass to store their seed phrase — a wallet's private key that can be used to gain access to the wallet.

Back when the breach was disclosed, it was known that hackers did gain access to encrypted password vaults in that breach, but according to LastPass, passwords and private information within those vaults were still encrypted and safe. Because of this, many people chose not to worry a lot about this — if hackers can't access the goods, then there's no need to change them.

If LastPass is indeed the culprit behind these crypto thefts, though, then it means malicious actors are indeed managing to decrypt the vaults and break into them, obtaining crypto credentials and any passwords contained there. And given how more than 25 million people had their supposedly secure vaults stolen, this would be extremely catastrophic news. For what it's worth, back when the breach was disclosed, it was followed by weeks of "oops, sorry, this might be worse than we thought," so we already knew that it was a disaster.

If you were a LastPass user affected by the breach, you should go ahead and immediately change any password you had stored within the service right now. In addition, you should make sure to take any appropriate measures for anything else that you have stored there — if you happen to have any cryptocurrency, you should move it to a different wallet.

Source: KrebsOnSecurity via Web3 is Going Just Great