In November 2022, the password supervisor service LastMove disclosed a breach wherein hackers stole password vaults containing each encrypted and plaintext knowledge for greater than 25 million customers. Since then, a gentle trickle of six-figure cryptocurrency heists concentrating on security-conscious individuals all through the tech trade has led some safety specialists to conclude that crooks seemingly have succeeded at cracking open a few of the stolen LastMove vaults.
Taylor Monahan is founder and CEO of MetaMask, a well-liked software program cryptocurrency pockets used to work together with the Ethereum blockchain. Since late December 2022, Monahan and different researchers have recognized a extremely dependable set of clues that they are saying join latest thefts concentrating on greater than 150 individuals, Collectively, these people have been robbed of greater than $35 million price of crypto.
Monahan mentioned just about all the victims she has assisted had been longtime cryptocurrency buyers, and security-minded people. Importantly, none appeared to have suffered the types of assaults that usually preface a high-dollar crypto heist, such because the compromise of 1’s electronic mail and/or cell phone accounts.
“The victim profile remains the most striking thing,” Monahan wrote. “They truly all are reasonably secure. They are also deeply integrated into this ecosystem, [including] employees of reputable crypto orgs, VCs [venture capitalists], people who built DeFi protocols, deploy contracts, run full nodes.”
Monahan has been documenting the crypto thefts through Twitter/X since March 2023, continuously expressing frustration within the seek for a standard trigger among the many victims. Then on Aug. 28, Monahan mentioned she’d concluded that the widespread thread amongst practically each sufferer was that they’d beforehand used LastMove to retailer their “seed phrase,” the personal key wanted to unlock entry to their cryptocurrency investments.
MetaMask proprietor Taylor Monahan on Twitter. Image: twitter.com/tayvano
Armed together with your secret seed phrase, anybody can immediately entry all the cryptocurrency holdings tied to that cryptographic key, and transfer the funds to anyplace they like.
Which is why the most effective observe for a lot of cybersecurity fanatics has lengthy been to retailer their seed phrases both in some sort of encrypted container — comparable to a password supervisor — or else inside an offline, special-purpose {hardware} encryption machine, comparable to a Trezor or Ledger pockets.
“The seed phrase is literally the money,” mentioned Nick Bax, director of analytics at Unciphered, a cryptocurrency pockets restoration firm. “If you have my seed phrase, you can copy and paste that into your wallet, and then you can see all my accounts. And you can transfer my funds.”
Bax mentioned he intently reviewed the large trove of cryptocurrency theft knowledge that Taylor Monahan and others have collected and linked collectively.
“It’s one of the broadest and most complex cryptocurrency investigations I’ve ever seen,” Bax mentioned. “I ran my own analysis on top of their data and reached the same conclusion that Taylor reported. The threat actor moved stolen funds from multiple victims to the same blockchain addresses, making it possible to strongly link those victims.”
Bax, Monahan and others interviewed for this story say they’ve recognized a singular signature that hyperlinks the theft of greater than $35 million in crypto from greater than 150 confirmed victims, with roughly two to 5 high-dollar heists taking place every month since December 2022.
KrebsOnSecurity has reviewed this signature however will not be publishing it on the request of Monahan and different researchers, who say doing so might trigger the attackers to change their operations in ways in which make their legal exercise tougher to trace.
But the researchers have revealed findings in regards to the dramatic similarities within the ways in which sufferer funds had been stolen and laundered by means of particular cryptocurrency exchanges. They additionally discovered the attackers continuously grouped collectively victims by sending their cryptocurrencies to the identical vacation spot crypto pockets.
A graphic revealed by @tayvano on Twitter depicting the motion of stolen cryptocurrencies from victims who used LastMove to retailer their crypto seed phrases.
By figuring out factors of overlap in these vacation spot addresses, the researchers had been then capable of monitor down and interview new victims. For instance, the researchers mentioned their methodology recognized a latest multi-million greenback crypto heist sufferer as an worker at Chainalysis, a blockchain evaluation agency that works intently with legislation enforcement businesses to assist monitor down cybercriminals and cash launderers.
Chainalysis confirmed that the worker had suffered a high-dollar cryptocurrency heist late final month, however in any other case declined to remark for this story.
Bax mentioned the one apparent commonality between the victims who agreed to be interviewed was that they’d saved the seed phrases for his or her cryptocurrency wallets in LastMove.
“On top of the overlapping indicators of compromise, there are more circumstantial behavioral patterns and tradecraft which are also consistent between different thefts and support the conclusion,” Bax advised KrebsOnSecuirty. “I’m confident enough that this is a real problem that I’ve been urging my friends and family who use LastPass to change all of their passwords and migrate any crypto that may have been exposed, despite knowing full well how tedious that is.”
LastMove declined to reply questions in regards to the analysis highlighted on this story, citing an ongoing legislation enforcement investigation and pending litigation in opposition to the corporate in response to its 2022 knowledge breach.
“Last year’s incident remains the subject of an ongoing investigation by law enforcement and is also the subject of pending litigation,” LastMove mentioned in a written assertion supplied to KrebsOnSecurity. “Since last year’s attack on LastPass, we have remained in contact with law enforcement and continue to do so.”
Their assertion continues:
“We have shared various technical information, Indicators of Compromise (IOCs), and threat actor tactics, techniques, and procedures (TTPs) with our law enforcement contacts as well as our internal and external threat intelligence and forensic partners in an effort to try and help identify the parties responsible. In the meantime, we encourage any security researchers to share any useful information they believe they may have with our Threat Intelligence team by contacting securitydisclosure@lastpass.com.”
THE LASTPASS BREACH(ES)
On August 25, 2022, LastMove CEO Karim Toubba wrote to customers that the corporate had detected uncommon exercise in its software program growth surroundings, and that the intruders stole some supply code and proprietary LastMove technical info. On Sept. 15, 2022, LastMove mentioned an investigation into the August breach decided the attacker didn’t entry any buyer knowledge or password vaults.
But on Nov. 30, 2022, LastMove notified clients about one other, much more severe safety incident that the corporate mentioned leveraged knowledge stolen within the August breach. LastMove disclosed that legal hackers had compromised encrypted copies of some password vaults, in addition to different private info.
In February 2023, LastMove disclosed that the intrusion concerned a extremely advanced, focused assault in opposition to a DevOps engineer who was considered one of solely 4 LastMove staff with entry to the company vault.
“This was accomplished by targeting the DevOps engineer’s home computer and exploiting a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware,” LastMove officers wrote. “The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault.”
Dan Goodin at Ars Technica reported after which confirmed that the attackers exploited a recognized vulnerability in a Plex media server that the worker was operating on his house community, and succeeded in putting in malicious software program that stole passwords and different authentication credentials. The vulnerability exploited by the intruders was patched again in 2020, however the worker by no means up to date his Plex software program.
As it occurs, Plex introduced its personal knowledge breach sooner or later earlier than LastMove disclosed its preliminary August intrusion. On August 24, 2022, Plex’s safety group urged customers to reset their passwords, saying an intruder had accessed buyer emails, usernames and encrypted passwords.
OFFLINE ATTACKS
A primary performance of LastMove is that it’s going to decide and keep in mind prolonged, advanced passwords for every of your web sites or on-line companies. To routinely populate the suitable credentials at any web site going ahead, you merely authenticate to LastMove utilizing your grasp password.
LastMove has at all times emphasised that in case you lose this grasp password, that’s too dangerous as a result of they don’t retailer it and their encryption is so sturdy that even they’ll’t show you how to get better it.
But specialists say all bets are off when cybercrooks can get their palms on the encrypted vault knowledge itself — versus having to work together with LastMove through its web site. These so-called “offline” assaults enable the dangerous guys to conduct limitless and unfettered “brute force” password cracking makes an attempt in opposition to the encrypted knowledge utilizing highly effective computer systems that may every attempt thousands and thousands of password guesses per second.
“It does leave things vulnerable to brute force when the vaults are stolen en masse, especially if info about the vault HOLDER is available,” mentioned Nicholas Weaver, a researcher at University of California, Berkeley’s International Computer Science Institute (ICSI) and lecturer at UC Davis. “So you just crunch and crunch and crunch with GPUs, with a priority list of vaults you target.”
How laborious would it not be for well-resourced criminals to crack the grasp passwords securing LastMove consumer vaults? Perhaps the most effective reply to this query comes from Wladimir Palant, a safety researcher and the unique developer behind the Adblock Plus browser plugin.
In a December 2022 weblog publish, Palant defined that the crackability of the LastMove grasp passwords relies upon largely on two issues: The complexity of the grasp password, and the default settings for LastMove customers, which seem to have different fairly a bit based mostly on when these customers started patronizing the service.
LastMove says that since 2018 it has required a twelve-character minimal for grasp passwords, which the corporate mentioned “greatly minimizes the ability for successful brute force password guessing.”
But Palant mentioned whereas LastMove certainly improved its grasp password defaults in 2018, it didn’t power all current clients who had grasp passwords of lesser lengths to select new credentials that will fulfill the 12-character minimal.
“If you are a LastPass customer, chances are that you are completely unaware of this requirement,” Palant wrote. “That’s because LastPass didn’t ask existing customers to change their master password. I had my test account since 2018, and even today I can log in with my eight-character password without any warnings or prompts to change it.”
Palant believes LastMove additionally did not improve many older, authentic clients to safer encryption protections that had been supplied to newer clients through the years. One necessary setting in LastMove is the variety of “iterations,” or what number of instances your grasp password is run by means of the corporate’s encryption routines. The extra iterations, the longer it takes an offline attacker to crack your grasp password.
Palant famous final yr that for a lot of older LastMove customers, the preliminary default setting for iterations was anyplace from “1” to “500.” By 2013, new LastMove clients got 5,000 iterations by default. In February 2018, LastMove modified the default to 100,100 iterations. And very just lately, it upped that once more to 600,000.
Palant mentioned the 2018 change was in response to a safety bug report he filed about some customers having dangerously low iterations of their LastMove settings.
“Worse yet, for reasons that are beyond me, LastPass didn’t complete this migration,” Palant wrote. “My test account is still at 5,000 iterations, as are the accounts of many other users who checked their LastPass settings. LastPass would know how many users are affected, but they aren’t telling that. In fact, it’s painfully obvious that LastPass never bothered updating users’ security settings. Not when they changed the default from 1 to 500 iterations. Not when they changed it from 500 to 5,000. Only my persistence made them consider it for their latest change. And they still failed implementing it consistently.”
A chart on Palant’s weblog publish affords an concept of how rising password iterations dramatically will increase the prices and time wanted by the attackers to crack somebody’s grasp password. Palant mentioned it could take a single GPU a few yr to crack a password of common complexity with 500 iterations, and about 10 years to crack the identical password run by means of 5,000 iterations.
Image: palant.information
However, these numbers radically come down when a decided adversary additionally has different large-scale computational property at their disposal, comparable to a bitcoin mining operation that may coordinate the password-cracking exercise throughout a number of highly effective methods concurrently.
Weaver mentioned a password or passphrase with common complexity — comparable to “Correct Horse Battery Staple” is barely safe in opposition to on-line assaults, and that its roughly 40 bits of randomness or “entropy” means a graphics card can blow by means of it very quickly.
“An Nvidia 3090 can do roughly 4 million [password guesses] per second with 1000 iterations, but that would go down to 8 thousand per second with 500,000 iterations, which is why iteration count matters so much,” Weaver mentioned. “So a combination of ‘not THAT strong of a password’ and ‘old vault’ and ‘low iteration count’ would make it theoretically crackable but real work, but the work is worth it given the targets.”
Reached by KrebsOnSecurity, Palant mentioned he by no means acquired a response from LastMove about why the corporate apparently did not migrate some variety of clients to safer account settings.
“I know exactly as much as everyone else,” Palant wrote in reply. “LastPass published some additional information in March. This finally answered the questions about the timeline of their breach – meaning which users are affected. It also made obvious that business customers are very much at risk here, Federated Login Services being highly compromised in this breach (LastPass downplaying as usual of course).”
Palant mentioned upon logging into his LastMove account a number of days in the past, he discovered his grasp password was nonetheless set at 5,000 iterations.
INTERVIEW WITH A VICTIM
KrebsOnSecurity interviewed one of many victims tracked down by Monahan, a software program engineer and startup founder who just lately was robbed of roughly $3.4 million price of various cryptocurrencies. The sufferer agreed to inform his story in alternate for anonymity as a result of he’s nonetheless making an attempt to claw again his losses. We’ll consult with him right here as “Connor” (not his actual title).
Connor mentioned he started utilizing LastMove roughly a decade in the past, and that he additionally saved the seed phrase for his main cryptocurrency pockets within LastMove. Connor selected to guard his LastMove password vault with an eight character grasp password that included numbers and symbols (~50 bits of entropy).
“I thought at the time that the bigger risk was losing a piece of paper with my seed phrase on it,” Connor mentioned. “I had it in a bank security deposit box before that, but then I started thinking, ‘Hey, the bank might close or burn down and I could lose my seed phrase.’”
Those seed phrases sat in his LastMove vault for years. Then, early on the morning of Sunday, Aug. 27, 2023, Connor was awoken by a service he’d set as much as monitor his cryptocurrency addresses for any uncommon exercise: Someone was draining funds from his accounts, and quick.
Like different victims interviewed for this story, Connor didn’t undergo the standard indignities that usually presage a cryptocurrency theft, comparable to account takeovers of his electronic mail inbox or cell phone quantity.
Connor mentioned he doesn’t know the variety of iterations his grasp password was given initially, or what it was set at when the LastMove consumer vault knowledge was stolen final yr. But he mentioned he just lately logged into his LastMove account and the system pressured him to improve to the brand new 600,000 iterations setting.
“Because I set up my LastPass account so early, I’m pretty sure I had whatever weak settings or iterations it originally had,” he mentioned.
Connor mentioned he’s kicking himself as a result of he just lately began the method of migrating his cryptocurrency to a brand new pockets protected by a brand new seed phrase. But he by no means completed that migration course of. And then he obtained hacked.
“I’d set up a brand new wallet with new keys,” he mentioned. “I had that ready to go two months ago, but have been procrastinating moving things to the new wallet.”
Connor has been exceedingly fortunate in regaining entry to a few of his stolen thousands and thousands in cryptocurrency. The Internet is swimming with con artists masquerading as professional cryptocurrency restoration specialists. To make issues worse, as a result of time is so vital in these crypto heists, many victims flip to the primary quasi-believable professional who affords assist.
Instead, a number of pals steered Connor to Flashbots.internet, a cryptocurrency restoration agency that employs a number of customized strategies to assist purchasers claw again stolen funds — significantly these on the Ethereum blockchain.
According to Connor, Flashbots helped rescue roughly $1.5 million price of the $3.4 million in cryptocurrency worth that was all of the sudden swept out of his account roughly per week in the past. Lucky for him, Connor had a few of his property tied up in a kind of digital mortgage that allowed him to borrow in opposition to his varied cryptocurrency property.
Without gifting away too many particulars about how they clawed again the funds, right here’s a excessive degree abstract: When the crooks who stole Connor’s seed phrase sought to extract worth from these loans, they had been borrowing the utmost quantity of credit score that he hadn’t already used. But Connor mentioned that left open an avenue for a few of that worth to be recaptured, principally by repaying the mortgage in lots of small, speedy chunks.
WHAT SHOULD LASTPASS USERS DO?
According to MetaMask’s Monahan, customers who saved any necessary passwords with LastMove — significantly these associated to cryptocurrency accounts — ought to change these credentials instantly, and migrate any crypto holdings to new offline {hardware} wallets.
“Really the ONLY thing you need to read is this,” Monahan pleaded to her 70,000 followers on Twitter/X: “PLEASE DON’T KEEP ALL YOUR ASSETS IN A SINGLE KEY OR SECRET PHRASE FOR YEARS. THE END. Split up your assets. Get a hw [hardware] wallet. Migrate. Now.”
If you additionally had passwords tied to banking or retirement accounts, and even simply necessary electronic mail accounts — now can be a very good time to vary these credentials as nicely.
I’ve by no means been comfy recommending password managers, as a result of I’ve by no means severely used them myself. Something about placing all of your eggs in a single basket. Heck, I’m so old school that almost all of my necessary passwords are written down and tucked away in protected locations.
But I acknowledge this antiquated method to password administration will not be for everybody. Connor says he now makes use of 1Password, a competing password supervisor that just lately earned the most effective general marks from Wired and The New York Times.
1Password says that three issues are wanted to decrypt your info: The encrypted knowledge itself, your account password, and your Secret Key. Only your account password, and your Secret Key is generated regionally throughout setup.
“The two are combined on-device to encrypt your vault data and are never sent to 1Password,” explains a 1Password weblog publish ‘What If 1Password Gets Hacked?‘ “Only the encrypted vault data lives on our servers, so neither 1Password nor an attacker who somehow manages to guess or steal your account password would be able to access your vaults – or what’s inside them.
Weaver mentioned that Secret Key provides an additional degree of randomness to all consumer grasp passwords that LastMove didn’t have.
“With LastPass, the idea is the user’s password vault is encrypted with a cryptographic hash (H) of the user’s passphrase,” Weaver mentioned. “The problem is a hash of the user’s passphrase is remarkably weak on older LastPass vaults with master passwords that do not have many iterations. 1Password uses H(random-key||password) to generate the password, and it is why you have the QR code business when adding a new device.”
Weaver mentioned LastMove deserves blame for not having upgraded iteration counts for all customers a very long time in the past, and referred to as the newest pressured upgrades “a stunning indictment of the negligence on the part of LastPass.”
“That they never even notified all those with iteration counts of less than 100,000 — who are really vulnerable to brute force even with 8-character random passwords or ‘correct horse battery staple’ type passphrases — is outright negligence,” Weaver mentioned. “I would personally advocate that nobody ever uses LastPass again: Not because they were hacked. Not because they had an architecture (unlike 1Password) that makes such hacking a problem. But because of their consistent refusal to address how they screwed up and take proactive efforts to protect their customers.”
Bax and Monahan each acknowledged that their analysis alone can in all probability by no means conclusively tie dozens of high-dollar crypto heists over the previous yr to the LastMove breach. But Bax says at this level he doesn’t see another potential rationalization.
“Some might say it’s dangerous to assert a strong connection here, but I’d say it’s dangerous to assert there isn’t one,” he mentioned. “I was arguing with my fiance about this last night. She’s waiting for LastPass to tell her to change everything. Meanwhile, I’m telling her to do it now.”