Tihan is right.. patrick/amir/donald should've changed the LastPass master password, if not created a whole new account (using a different e-mail, not
info@bitcoinica.com which is a big red flag). Not to mention securing the MtGox account. Hell, zhoutong should've revoked those API keys that day long ago (he even said the hacker could've used them).
The API keys were revoked immediately, read the beginning of the last "hack" thread. The problem this time is that the withdrawal was via a normal login, which wasn't protected with 2 factor authentication.
As for the API-key-as-a-master-password fuckup, well I don't have enough info on that to make a judgement. Was that password implemented in the assumption that the source would not be released? Perhaps that's what it was set to AFTER the previous hack (stupid)? Maybe no one correlated it with the API key, and didn't realize the significance?
Ah, somebody downloaded LastPass and sync'd it with an accoung using
info@bitcoinica.com as the log-in using the revoked mtGox API key as the password. This gave them all the passwords for that account, including the regular MtGox password (no 2-factor auth).
And it sounds like three separate people/groups had full access to the
info@bitcoinica.com LastPass account: zhoutong (who presumably set it up), Tihan (who passed it to "bitcoin consultancy"), and bitcoin consultancy.
That still doesn't explain how the attacker knew that specific password should be tried at all.
We are talking about the password needed to convince LastPass to hand over your encrypted passwords right, not the passphrases needed to actually decrypt those passwords once having gotten a copy of them from LastPass?
-MarkM-
I don't think there is a separate encryption passphrase for LastPass, the master password is the encryption passphrase.
https://lastpass.com/features_free.php Your sensitive data is encrypted on your PC. Only your LastPass password can unlock your data and only YOU have it.