Posted on December 23, 2022 at 7:21 AM
LastPass confirms hackers stole encrypted password vaults
LastPass, one of the largest password management companies, has announced that cybercriminals accessed its encrypted password vaults. These vaults are used to store customer passwords and other sensitive information. The company noted that the sensitive information was accessed after a data breach earlier this year.
LastPass confirms password theft
LastPass revealed the details through an updated blog post. The CEO of the password manager giant, Karim Toubba, said that the hackers accessed a copy of the backup to customer vault data by accessing the cloud storage keys. The keys were stolen from an employee of the company.
The cache for the customer password vaults is stored in a “proprietary binary format” with encrypted and unencrypted vault data. However, the proprietary format’s technical and security details have not been revealed.
The data that was not encrypted includes the web addresses stored within the vault. It remains unclear when the threat actors accessed the stolen backups. LastPass also noted that the customer password vaults remained encrypted, with the information contained within only accessible using the master password of the customer.
However, the company has warned that the hackers behind the exploit could try and use a brute force attack to guess the master password and decrypt the data in the vault they stole. If this happens, it could expose customers to a massive intrusion.
Toubba has also said that the hackers also accessed various customer data such as names, email addresses, phone numbers and some of the customers’ billing details. This means that the hackers might use the stolen information to access the financing details of the customer and infiltrate their online banking accounts.
LastPass has boomed in popularity because of the ease that they provide to online users who want a convenient way of storing their passwords. It is always recommended that passwords be long, complex, and different for every service or website. However, remembering these passwords can be challenging, which is why people use password managers.
LastPass users should protect themselves
Given the latest security incident that happened at LastPass, it is evident that password managers can be attacked and compromised, and they are not always safe. However, not all password managers are created the same way, as the threat model of one differs from the other. None of these password managers has the exact requirement as the other, which means that they cannot always be breached, as with LastPass.
However, when this type of breach happens where a hacker gains access to customer password details, the threat actor will have to access the master password of the victim. The strength of the password vault depends on the encryption and the password created as a master key for the platform. The master key is the only key that can be used to access the customer vault data, and whether or not the hacker gains access to the data depends on whether they can crack the master password.
One of the best things that LastPass customers can do following this breach is to change their LastPass master password to a new and unique password that should be written down and stored in a safe location. If a user changes their master password, it will improve the security of their LastPass vault and ensure that the attacker cannot access it.
If a customer thinks their LastPass password vault has been compromised, they should begin by changing the passwords stored in their LastPass vault. One should start changing their most critical accounts, such as email addresses, bank accounts, social media accounts, and cell phone plans. Once the customer changes their passwords according to the priority list, it will lock the attackers out of their system even if they can crack the password vault.
One of the positive things is that those that had installed two-factor authentication into their accounts will make it difficult for the attacker to access their accounts without having access to the second factor, which can be an email, cell phone pop-up, or text.
Therefore, it is recommended that users secure their second-factor accounts first by ensuring that they change the password details of sensitive accounts such as emails and cell phone plan accounts. Once a user secures these accounts, it will become difficult for the threat actor to access them.