This past August witnessed a breach at LastPass, one of the most well-known password manager services available. The harm caused by the unidentified hackers is significantly worse than was initially believed, according to the company. Passwords should be changed immediately by users.
LastPass stated that "only" the company's source code and confidential information were compromised in the initial report on the data breach event that was detected in August.
Passwords and user information remained clean and secure. The hostile actors were able to access some users' data as well, according to a subsequent security notification on the same issue.
The hat in black According to LastPass, hackers were able to access the cloud storage and decrypt the dual storage container keys.
By copying a backup that contained "basic customer account data and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service," they were able to further undermine the platform's security.
The encrypted storage container, which holds customer vault data in a proprietary binary format, also allowed the cybercriminals to replicate a backup of that data. The container contains both encrypted and unencrypted information, including sensitive areas like online usernames and passwords, secure notes, and data entered into forms.
According to LastPass, hackers were able to access the cloud storage and decrypt the dual storage container keys. By copying a backup that contained "basic customer account data and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service," they were able to further undermine the platform's security.
The encrypted storage container, which holds customer vault data in a proprietary binary format, also allowed the cybercriminals to replicate a backup of that data. The container contains both encrypted and unencrypted information, including sensitive areas like online usernames and passwords, secure notes, and data entered into forms.
Since they were created using a 256-bit AES-based encryption algorithm and "can only be decrypted with a unique encryption key derived from each user's master password using our Zero Knowledge architecture," the encrypted fields "remain secure," according to LastPass, even when in the hands of cybercriminals. Zero Knowledge signifies that LastPass is unaware of the master password required to unlock the data, and that the decryption process itself is always carried out locally, never online.
LastPass partially stores credit card information in a different cloud environment. Furthermore, there are currently no signs that such data has been accessed. All things considered, LastPass is attempting to convey the idea that users' encrypted data should still be protected in spite of the extensive breach of the company's technology.
However, that doesn't mean there aren't any risks or dangers associated with the breach. Despite the fact that the firm routinely tests "the newest password cracking tools against our algorithms to maintain pace with and improve upon our cryptographic controls," LastPass claims that a determined hostile actor might attempt to brute-force the encrypted passwords.
Additional dangers could be associated with phishing or brute-force attacks against online accounts linked to users' LastPass vaults. LastPass stated that they would never contact a user by phone, email, or text and ask them to click on a link to confirm their personal information. They also won't inquire for a vault's master password. Users of the online password manager are urged to update both their master password and every password kept in the vault as a last line of defense.
