LastPass DB breach

Sorry for the delay, but hopefully never to late to create awareness around this.
LastPass had a breach on one of their back-up databases in December 2022.

Points of Action:
If you have saved any secret key in LastPass including Users with 2FA/MFA Authenticated or not to log in to their services.
You MUST/SHOULD create a new wallet and transfer all your assets to your new wallet. :bangbang:


thanks @roarh for the notice. I don’t even want to think about how many times I’ve seen LastPass included in video and written explanations of how to “secure” your cryptocurrency resources or operations.

Most notably I saw it recommended as a means of creating a “will” of cryptocurrency assets because they would effectively release keys under preconditions of proving the account owner’s decease, if prior arrangements had been made as such… but with this security breach I guess the hackers wouldn’t have to wait until you were dead. :crazy_face:

While wishing a speedy restoration of security to anyone affected in our Cardano & general crypto community, this does reveal another dimension to the old adage Not your keys, not your crypto.

1 Like

highly recommend self hosting bitwarden, for all the pro features its 10$/year and works really well. there is a free version called vaultwarden that is api compatible with all the plugins too if money is tight

though, imho, never store your seeds in a network accessible system

This Cardano project addresses the issue.
It allows users to sign into a secure website using a Cardano wallet.

The following is the twitter account

The following is the github

I think they are just getting started but if successful, they will solve a very big problem.

1 Like

Thanks to smart contracts on Cardano, wills for crypto assets may no longer be required.
Just put funds in a smart contract that disperses funds to beneficiaries if you don’t withdraw some tiny amount within a set time limit (like every six months).

Of course only the owner can withdraw funds.
So if the contract has seen no withdrawals in a given amount of time then it is assumed that the owner is dead.

The contract disperses funds automatically.
No will is needed.

1 Like

Haven’t we seen enough security breaches to know better?
Can’t imagine why anyone would trust passwords to any service like this.

1 Like

Smart minds thinks alike :upside_down_face:
Here is an extract from our whitepaper

Incentive – Legacy / Inherit

In the sad case where a User passes away, they can set up an inheritance through their native wallet that will go into effect after ~5 years of inactivity on an account. If they have not set this, the inheritance is by default set to the Youblob Treasury which is built towards the UNSDG helping Makers and STEM projects around the world.
Notification will of course be sent out to User before this inactivity is taken into effect.


In a will you usually determine what should happen to all your belongings. So, you would have to keep all your crypto assets in that contract ever. All the assets that are in usual wallets, will only be accessible if you leave the keys to someone.

Interesting, the “canary in a coal mine” trick… to keep chirping to say the owner is not deceased :thinking:

That it is a good point, and if doing this with a Cardano smart contract that creates the requirement of wrapping all the non-Cardano assets so the smart contract could disburse them. And that means leaving assets wrapped in the long term: which means your funds will more likely end up in the hands of a hacker than with you or your beneficiary :fearful:

So single smart contracts may be a solution still targeted for the long term to be a good choice for payable-on-death solutions, but only after inter-blockchain, identification & oracle features are more prevalent and far more reliable. In the short term the Cardano smart contract could be a component in such an arrangement: perhaps to disburse keys securely or enable some other activity upon the will’s execution. :thinking:

1 Like

Or you could just leave a paper document explaining how this crypto stuff works, how your heirs can get out of it if they are not interested as fast and profitable as possible, with the seed phrases at the end.

again, “great minds think alike” … after looking at all native and commercial options available, we decided this was not only the best but also the only method that would work. One scenario = an encrypted document in the hands of your closest relative and its password with your closest friend.

Considering the constant changing of one’s crypto profile in almost all practical situations, this is the only means that would ever work in the long term. The “will” encrypted file becomes a copy of the notes of your own crypto asset storage, and can include the working funds of enterprises as well which would have more complicated instructions.

And then there is the advantage of being able to address such instructions personally… which the commerial solutions or homegrown automation could never do. During times of grief there would be nothing more helpful than a compassionate message written in advance to to soften the blow, in a format that would provide an element of ongoing connection with the survivor(s) and the mystery of a treasure hidden across that ultimate boundary. :innocent:

1 Like

I tend to formulate less flowery, but yes! :grin:

It also depends very much on personal requirements.

Personally, I won’t have to protect multiple heirs against each other, ensuring via some mechanism that the distribution is fair. It’s basically one person (plus my parents?). So, for me, I won’t even deem encryption necessary.

Hiding one copy in our common home and locking one copy in our common bank deposit box should be more than enough. Burglars here with a very high probability look for cash, jewels, and electronics, not for documents that look like crypto currency stuff. (As always: Your mileage may vary.)

(I consider passwords and encryption much more to be against online threats than against threats in the physical world. And a lot of questionable advice comes from strange attack models. “Don’t ever write your password down!”, while it is much more likely that someone on the Internet cracks the password that is easy enough to not write it down than that someone breaks into your home to read it from the Post-It on the monitor. Changes a bit for more public spaces, office, etc. and a lot for high-profile targets.)

And it obviously depends on your loved ones, how detailed the instructions have to be. (In such a fast-developing space, they obviously also have to be adapted from time to time.)

All the smart contract solutions require every heir to already be active not only in crypto in general, but in all ecosystems where you want to bequeath something to them. I would not deem that requirement realistic now or in the near future, not only for me, but for many people.

And since “Friends don’t talk friends into crypto.” (while not the more radical “Friends don’t let friends go into crypto.”) is a principle I hold quite high, I won’t go: “If you want to inherit something from me later, you have to create a Cardano wallet now.”

1 Like

Charles talked about maybe using Bitwarden (paid) or KeePass (free) in his “Lastpass Hack” video: Lastpass Hack - YouTube
But for your hardware wallet seed phrase - you should never store that electronically!
The whole point of a hardware wallet is to keep the private key in the hardware wallet.
Write the backup seed phrase on a piece of paper like:
File:Seed-phrase-wallet-backup-template.png - Wikimedia Commons