LastPass, a popular password manager application, finds itself at the centre of controversy once again as a hacker stole millions of dollars worth of crypto assets from users’ wallets last week as a result of compromised seed phrases.

Blockchain sleuths ZachXBT and Tayvano traced the hacker’s movements on Oct 25 and found that around $4.4 million worth of crypto was stolen from 80 distinct addresses belonging to 25 distinct victims.

 

“Most, if not all, of the victims are longtime LastPass users and/or confirm having stored their keys/seeds in LastPass,” wrote Tayvano in a report.

The incident relates to a security breach first identified in December 2022, when LastPass notified users that an unauthorized party had gained access to a third-party cloud-based storage service in which the firm stored archived backups of data.

Read more: Wallet Drainers Stole $58 Million Through Malicious Ads

At the time, LastPass said that the threat actor was able to copy customer vault data from the encrypted storage and gained access to website usernames and passwords, secure notes, and form-filled data.

Although the data was compromised, LastPass CEO Karim Toubba noted that the threat action would need to use brute force to guess master passwords and decrypt copies.

Toubba estimated that this would be an “extremely difficult” process for threat actors, because of the hashing and encryption methods the firm uses to protect our customers.

Earlier this year, Unchained reported that a massive wallet draining operation had resulted in $10 million worth of crypto stolen between December 2022 and April 2023. Tayvano, who traced these transactions, later said there was good reason to believe LastPass was the source of the compromise.

After last week’s activity, it is clear that the exploiter is far from done looting crypto wallets that have had their seed phrases compromised.