The LastPass breach is the gift that keeps giving, with security experts now fearing bad actors have cracked the stolen vaults.

LastPass experienced a massive breach in 2022, one in which source code, customer password vaults, and encryption keys were stolen. To make matters worse, the company was less than forthcoming about the extent of the breach, trickling out information over the course of months.

According to Krebs on Security, security experts believe bad actors are successfully cracking the stolen password vaults. The theory is based on an uptick of successful attacks against tech-savvy, security-conscious individuals, with the common denominator being their use of LastPass.

Taylor Monahan is founder and CEO of MetaMask, a popular software cryptocurrency wallet used to interact with the Ethereum blockchain. Since late December 2022, Monahan and other researchers have identified a highly reliable set of clues that they say connect recent thefts targeting more than 150 people. Collectively, these individuals have been robbed of more than $35 million worth of crypto.

“The victim profile remains the most striking thing,” Monahan wrote. “They truly all are reasonably secure. They are also deeply integrated into this ecosystem, [including] employees of reputable crypto orgs, VCs [venture capitalists], people who built DeFi protocols, deploy contracts, run full nodes.”

Monahan found that nearly all of the victims had used LastPass to secure their “seed phrase,” which is necessary to access their crypto investments.

The revelation, if true, is a damning indictment of LastPass and should give anyone considering the service pause.