Millions stolen from LastPass users in massive attack — what you need to know

A phone in hand showing the LastPass logo
(Image credit: Shutterstock)

Just when you thought all of the fallout from the LastPass hack back in 2022 was over, hackers have now used stolen data from that incident to launch a series of attacks on users of the popular password manager.

In case you’re in need of a refresher, back in 2022, LastPass fell victim to multiple hacks in which its source code, API tokens, MFA seeds and keys were stolen from customers. With all of this valuable data in hand, hackers then launched a series of attacks in which they went after users’ crypto. Up until this point, LastPass was considered one of the best password managers and came highly recommended.

Then in October of 2023, $4.7 million in cryptocurrency was stolen and then in February of this year, an additional $6.4 million in digital currencies was drained from the accounts of LastPass users.

Now though, as reported by The Block, hackers with LastPass data have stolen yet another $5.36 million from over 40 different crypto wallet addresses of its users. This was discovered by the blockchain expert ZachXBT who claimed in a Telegram post that these new attacks are just the latest fallout from the one that took place two years ago.

In his post, ZachXBT explains that after this $5.36 million in crypto was stolen, the hackers then swapped these funds for Ethereum and proceeded to transfer them to various instant exchanges while converting them into Bitcoin.

Unfortunately with cryptocurrency, there’s really nothing at all victims can do to restore these stolen funds. This is why it’s recommended that you use a hardware wallet to store your crypto instead of a digital one or worse, keeping your crypto on an exchange where you don’t control the private keys.

In a statement to Tom's Guide, LastPass' CTO and CSO Christofer Hoff provided further insight on these crypto thefts, saying:

“A year has passed since initial claims surfaced alleging a link between certain cryptocurrency thefts and the 2022 LastPass security incidents. In that time, LastPass has investigated these claims and to date is not aware of any conclusive evidence that directly connects these crypto thefts to LastPass. Because we take any claims regarding the security of LastPass and our customers seriously, we continue to invite any security researchers who believe they may have evidence to contact the LastPass Threat Intelligence team at securitydisclosure@lastpass.com.”

How to stay safe after a major security incident

An open lock with a digital background and a cross and bones indicating a cyberattack

(Image credit: Shutterstock)

Once you find out a service you use has been hacked, you need to take action immediately if you want to avoid getting caught up in the fallout yourself. This means changing your passwords and potentially placing a credit freeze or fraud alert on your financial accounts if they could be at risk.

In the case of a password manager like LastPass though, you want to change your master password which lets you access all of the other passwords and data you have stored with the service. Your master password is protected by strong end-to-end encryption and other safeguards, but you can never be too careful.

ZachXBT also pointed out in his post that the reason so many crypto accounts were attacked using stolen LastPass data is due to the fact that some users might have relied on the service to store their seed phrases or keys. If you’re unfamiliar with crypto, these are what are used to regain access to your account — and your money — when you forget your password.

Seed phrases and keys can be tricky though since storing them online in something like one of the best cloud storage services might seem like a good idea as doing so is convenient. In reality though, this is a terrible idea and one of the best places to store your seed phrase is offline in a safe or even in a safety deposit box. That way, if your other accounts get hacked, it won’t be accessible. Another thing to keep in mind is that under no circumstance whatsoever should you ever share your seed phrase with anyone, especially online.

So let’s say you switched to Dashlane, NordPass or another password manager after 2022’s LastPass breach. Even then, if you have compromised passwords and especially if you reuse them, your accounts could still be at risk. This is why you want to break the password reuse cycle and instead, use a strong and unique password for each of your online accounts. If you have trouble coming up with passwords on your own, a password generator can help make secure ones for you and most password managers include this feature though, there are also free password generators available online.

The cybercriminals behind 2022’s LastPass hack have milked that attack for all its worth but the fact that we’re still seeing that stolen data used in new attacks today might mean that they’re not quite done yet. Only time will tell but by practicing good cyber hygiene and online habits, you should be able to stay safe. If worse comes to worst though, it might also be worth investing in one of the best identity theft protection services as they can help you recover stolen funds (and your identity) more quickly after a crisis.

More from Tom's Guide

Anthony Spadafora
Managing Editor Security and Home Office

Anthony Spadafora is the managing editor for security and home office furniture at Tom’s Guide where he covers everything from data breaches to password managers and the best way to cover your whole home or business with Wi-Fi. He also reviews standing desks, office chairs and other home office accessories with a penchant for building desk setups. Before joining the team, Anthony wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Read more
An open lock depicting a data breach
12 million hit in Zacks Investment data breach — how to protect yourself now
A hacker typing quickly on a keyboard
New MassJacker malware is hijacking digital wallets to steal large sums from users
Surfshark graphic of 2024 data breaches
Nearly 700 million American records were leaked in 2024
Malware
New macOS malware uses Apple's own code to quietly steal credentials and personal data — how to stay safe
Screen graphic showing data breach warning
5 worst data breaches of 2024 — including the mother of all breaches
Malware
Dangerous new password-stealing trojan automatically reinstalls itself on infected PCs
Latest in Password Managers
The Apple Passwords app open on an iPhone in hand
Apple Passwords password manager review
A phone in hand showing the LastPass logo
Millions stolen from LastPass users in massive attack — what you need to know
Proton Pass
Proton Pass password manager review
A phone and tablet sharing passwords using Google Password Manager
Google just made a huge step in killing off passwords for good
Keeper password manager shown on laptop and smartphone
Hurry! Save 50% on this top-rated password manager
Keeper password manager shown on laptop and smartphone
Hurry! One of our top password managers is 50% off right now
Latest in News
Rendered images of rumored foldable iPhone.
Foldable iPhone report just revealed key details — here's what we know
Nintendo Switch 2
Nintendo Switch 2 rumored specs — here’s what we know so far
iPhone 17 Pro render
iPhone 17 Pro — 7 biggest rumored upgrades
CAD renderings of the Google Pixel 10 Pro XL
Pixel 10 leak could be good news for all Android phones
A magnifying glass on top of the Steam logo in a web browser
Valve just pulled a malicious game demo spreading info-stealing malware from Steam
Lewis Hamilton of Great Britain and Scuderia Ferrari looks on during Sprint Qualifying ahead of the F1 Grand Prix of China at Shanghai International Circuit in Shanghai, China, on March 21, 2025. (Photo by Song Haiyuan/Paddocker/NurPhoto via Getty Images)
How to watch Chinese Grand Prix 2025 online – stream F1 without cable, qualifying highlights