Password manager giant LastPass has confirmed that cybercriminals stole its customers’ encrypted password vaults, which store passwords and other customer secrets, in a data breach more early this year.
In an updated blog post on its disclosure, LastPass CEO Karim Toubba said the intruders took a copy of a backup of customer vault data using stolen cloud storage keys. to a LastPass employee. The cache of client password vaults is stored in a “proprietary binary format” which contains both unencrypted and encrypted vault data, but the technical and security details of this proprietary format are not known. were not specified. The unencrypted data includes web addresses stored in the vault, but LastPass doesn’t say more about that or in what context. It’s unclear how recent the stolen saves are.
LastPass said customer password vaults are encrypted and can only be unlocked with the customers master password, which is known only to the customer. But the company warned that the cybercriminals behind the intrusion “may attempt to use brute force to guess your master password and decrypt the copies of the vault data they have taken”.
Toubba said the cybercriminals also took vast amounts of customer data, including names, email addresses, phone numbers and some billing information.
Password managers are extremely useful for storing your passwords, all of which should be long, complex, and unique to each site or service. But security incidents like this remind us that all password managers are not created equal and can be attacked or compromised in different ways. Since everyone’s threat model is different, no one will have the same requirements as the other.
In a rare (not a typo) situation like this – which we explained in our analysis of the LastPass data breach notice – if a bad actor gains access to the encrypted password vaults of customers, “all they would need is the victim’s master password”. An exposed or compromised password vault is only as strong as the encryption – and password – used to scramble it.
The best thing you can do as a LastPass customer is to replace your current LastPass master password with a new unique password (or passphrase) that is written down and kept in a safe place. This means that your current LastPass vault is secure.
If you think your LastPass password vault might be compromised, such as if your master password is weak or you’ve used it elsewhere, you should start changing the passwords stored in your password vault. strong LastPass. Start with the most critical accounts, such as your email accounts, cell phone plan account, bank accounts, and social media accounts, and work your way up the priority list.
The good news is that any account protected by two-factor authentication will make it much harder for an attacker to gain access to your accounts without that second factor, like a phone pop-up or a code sent via text or email. That’s why it’s important to secure those secondary accounts first, like your email accounts and cell phone plans.
Tech
