Just when we thought the LastPass hack of 2022 was all but over, hackers used the data stolen in the incident to launch a series of attacks targeting users of the popular password manager.

In case you missed it, in 2022 LastPass was the victim of multiple hacks in which source code, API tokens, MFA seeds, and keys were stolen from customers. With this valuable data in hand, hackers launched a series of attacks targeting users' cryptography. In October 2023, $4.7 million in cryptocurrency was stolen, and in February of this year, an additional $6.4 million in digital currency was leaked from LastPass users' accounts.

But now, as reported by The Block, hackers using LastPass data have stolen another $5.36 million from more than 40 different crypto wallet addresses of users. This was discovered by blockchain expert ZachXBT, who claims in a Telegram post that these new attacks are merely derivative of those made two years ago.

In his post, ZachXBT explains that after this $5.36 million in crypto was stolen, hackers converted these funds into Ethereum and proceeded to transfer them to various instant exchanges while converting them to Bitcoin.

Unfortunately, with cryptocurrency, there is absolutely nothing victims can do to recover their stolen funds; in a statement to Tom'sGuide, LastPass CTO and CSO Christofer Hoff provided further insight into these cryptocurrency thefts, stating In a statement to LastPass'sGuide, LastPass CTO and CSO Christofer Hoff provided further insight into these cryptocurrency thefts, stating “A year has passed since the first claims surfaced alleging a link between certain cryptocurrency thefts and the LastPass security incident in 2022. During this time, LastPass has investigated these claims, but to date we are not aware of any conclusive evidence directly linking these cryptocurrency thefts to LastPass... We take any claims regarding the security of LastPass and our customers very seriously, and we are working with the If you are a security researcher who believes that you have obtained evidence, please continue to contact the LastPass Threat Intelligence Team at [email protected].”

If you find out that your service has been hacked, you need to take immediate action if you want to avoid being a victim yourself. This means changing your passwords and possibly placing a credit freeze or fraud alert if your financial accounts may have been compromised.

However, with a password manager like LastPass, changing the master password gives you access to all other passwords and data stored on the service. Master passwords are protected by strong end-to-end encryption and other safeguards, but one can never be too cautious.

ZachXBT also noted in his post that the reason so many crypto accounts were attacked with stolen LastPass data is that some users may have used the service to store their seed phrases and keys. For those unfamiliar with cryptography, these are used to regain access to accounts (and access to money) when passwords are forgotten.

Seed phrases and keys are tricky things, and storing them online on something like the best cloud storage services may seem like a good idea because doing so is convenient. In reality, however, this is a terrible idea, and one of the best places to store your seed phrases is offline in a safe or safety deposit box. That way, if another account is hacked, they will not be able to access it. Another thing to remember is that under no circumstances should you share your seed phrases with anyone, especially online.

Now, let's say you switched to Dashlane, NordPass, or another password manager after the LastPass breach in 2022. Even then, your account may still be compromised, especially if you have a compromised password and reuse it. Therefore, you want to break the password reuse cycle and instead use strong, unique passwords for each online account. If coming up with your own passwords is difficult, you can use a password generator to help you create secure passwords. Most password managers have this feature, but there are also free password generators available online.

The cybercriminals behind the LastPass hack of 2022 squeezed all the value out of that attack, but the fact that we are still seeing stolen data used in new attacks today could mean they are not done yet. Only time will tell, but good cyber hygiene and good online habits should help keep you safe. But if the worst does happen, it may be worth investing in the best identity theft protection services to help you recover stolen funds (and your identity) more quickly after a crisis.