LastPass Breach Leads to $150M Crypto Theft Years Later

In March 2025, federal prosecutors confirmed what independent security researchers had been tracking for over a year: a $150 million cryptocurrency heist was directly linked to the 2022 LastPass breaches. Approximately $24 million was subsequently seized.

The attack chain was devastatingly simple. During the 2022 breaches, attackers obtained encrypted password vaults from LastPass. Over the following months and years, they methodically cracked master passwords, starting with the weakest, and extracted cryptocurrency seed phrases that victims had stored in LastPass "Secure Notes."

This incident illustrates the long-tail consequences of credential compromise. The initial breach occurred in 2022. The cryptocurrency thefts continued into 2025. The credentials were not "stale" or "expired". Seed phrases do not rotate, and the victims had no indication their vaults had been compromised until their cryptocurrency was gone.

From an identity architecture perspective, this reinforces a critical principle: breaches do not end when the news cycle moves on. Compromised credentials have a shelf life measured in years, not days. Identity architecture must account for the persistence of compromised material and the compounding risk of credential reuse across systems with different security properties.

It also raises fundamental questions about where secrets should be stored and who bears architectural responsibility when a credential management system is itself compromised.