The use of a password platform led to the loss of bitcoins and a lawsuit
A class action lawsuit has been filed against password management service LastPass over the platform’s data leak last August. The lawsuit was launched in US District Court in Massachusetts on 3 January by an anonymous plaintiff, known only as “John Doe”, and on behalf of others in a similar position. The suit alleges that bitcoins worth around $53,000 were stolen as a result of the LastPass hack. Meanwhile, customers of the service allegedly followed all of its recommendations immediately following news of the hack. We tell you more about what happened.
Keeping private keys and other secret combinations related to cryptocurrencies should be the responsibility of the user. That is, it is best to rely on oneself in this matter rather than entrusting the data to third-party platforms. The lawsuit against LastPass is a clear demonstration of this.
Generally speaking, it is important to understand that if a conditional sid-phrase has somehow been entered into a device with an Internet connection – whether it be a photo on an iPhone or a committing combination in Notes – it cannot be regarded as secure. Still, devices with an online connection are, in theory, susceptible to hacking and phishing, which could lead to the loss of crypto-assets.
Ledger Nano S Plus Genesis Edition hardware wallet
Is it possible to solve this problem? Yes. Ideally, use hardware wallets to interact with cryptocurrencies, tokens and NFTs. In the case of the Ledger devices we’re already familiar with, the generation of the sido code and the extraction of the private keys takes place outside the internet. Which means hackers can’t get to the important combination over the internet.
Where do I store my cryptocurrency password?
According to the plaintiff, he started buying BTC in July 2022 and upgraded his master password to more than 12 characters using a secret combination generator, as recommended by the LastPass service. The plaintiff intended to leave the private key in LastPass’s vault, protected by the new generated combination. However, as early as August 2022 it became known that the platform had been hacked. Immediately after the news broke, the plaintiff deleted his private data from the vault.
But despite the quick response, the data leak could not be prevented. Here’s a quote from the lawsuit on the matter, cited by Cointelegraph.
On or about the Thanksgiving holiday of 2022, the plaintiff’s bitcoins were stolen using private keys that he kept with the defendant. The LastPass hack through no fault of his own resulted in the theft of his cryptocurrency and put him at constant risk.
LastPass
The suit alleges that the victims have been exposed to an increased substantial risk of future fraud and misuse of their private information, which could take years to manifest, detect and identify. LastPass is accused of negligence, breach of contract, unjust enrichment and breach of fiduciary duty. However, the amount claimed as damages is not specified.
😈 MORE INTERESTING STUFF CAN BE FOUND ON US AT YANDEX.ZEN!
Alas, the news of losses in the world of digital assets doesn’t end there. In particular, investors popular in the crypto-sphere are already reporting their first losses from hacking attacks. One of them was a well-known representative of the NFT community under the nickname CryptoNovo. He posted on his Twitter account a screenshot of outgoing transactions from his OpenSea account with two CryptoPunks tokens. Their total value exceeds $300,000.
Stolen tokens
The tokens were immediately sold by the hacker for 70 and 199 ETH respectively. In total, he received almost $340,000 in Etherium from these two transactions.
Transactions selling tokens
Numerous other NFT tokens were also stolen from CryptoNovo, including instances from Meebits, CloneX, Mutant Ape Yacht Club and Bored Ape Yacht Club collections. Although the victim claimed the attack was a “hack”, user Proper pointed out in the comments to his tweet that phishing was the more likely cause.
Someone also impersonating CryptoNovo on Discord
CryptoNovo, it turns out, made some signatures themselves for an unknown smart contract. This particular contract subsequently used the “transferFrom” function on NFT to transfer them from the wallet of a known community representative. This means that someone could have tricked him into authorising a malicious decentralised application to move his tokens.
Note that the way out of this situation is also the use of Ledger hardware wallets. Their peculiarity is the presence of a secure screen, which is connected to the security chip and isolated from the Internet. Accordingly, hacking it remotely and forcing it to display fake transaction data is impossible. Therefore, even if a notional hacked MetaMask on a PC hides fake transaction details so that the user sends his coins to fraudsters on his own, the Ledger screen will display directly the address to which the transfer is being made.
In addition, hardware wallets are able to show the decryption of permissions when interacting with a smart contract that the user gives. This way, the latter will know when the scammer contract offers to give more permissions than required for the transaction. And this, in turn, could save against such a scam.
A cryptocurrency investor with a hardware wallet
We believe that this situation should be an obvious recommendation not to mess with various password storage platforms when interacting with cryptocurrencies. Sid-phrases and private keys should not be entered into devices with online connectivity, as sooner or later this could end up in hacking - including of a centralised intermediary platform - and the theft of digital assets. Well, it may not be possible to recover anything or get some sort of compensation here. Although, this particular case will be put to rest one way or another in a court of law.
Related posts
