What is LastPass Breach?
On 22nd December 2022, online password management service LastPass revealed that threat actors can steal sensitive information from user accounts like billing, end-user names, email IDs, IP address info, and telephone numbers.
The leak also includes customer vault data, which consists of both unencrypted data like website URLs and encrypted data like website usernames and passwords, form-filled data, and secure notes. An earlier hack of customer data in August 2022 led to this more severe data breach.
Risks for LastPass Users
The data of all 30 million LastPass users stored on the company servers as of August 2022 is at risk. Hackers possess a copy of your entire pad vault. In case a hacker manages to crack your master password, they can take full control of your online life. It means full access to your bank accounts, emails, tax information, healthcare data, social media accounts, and much more.
As per LastPass, hackers may try using brute force for finding out your master password and decode the copies of vault data they have stolen. But, LastPass says it is highly unlikely- to brute force and guess master passwords can take up to a million years if a user has strong secured passwords. But do users really have safe passwords?
Experts doubts claims by LastPass
Experts have raised doubts about LastPass' recent updates. “The statement is full of omissions, half-truths, and outright lies," says Wladimir Palant, security researcher and creator of AdBlock Plus. "The hack a far more grave threat than reported – both to individual users as well as companies that employ LastPass for corporate password management," said senior security researcher John Scott Railton.
Jeremi Gosney, a senior information security engineer at Yahoo has also been very critical of the response received from LastPass, and the company's approach to security. He said "in the last 10 years. I don't know what the threshold of "number of major breaches users should tolerate before they lose all faith in the service" is, but surely it's less than 7."
Another password service competitor 1Password doubts the "millions of years" claim made by LastPass, the former believes that the claim lies on the assumption 12 character passwords of LastPass users are generated via an entirely random process. However, in today's age, threat actors can crack your passwords in just 30 minutes if they happen to have the latest tools and technology.
Lessons learned from LastPass- How to protect your online life?
- If you're a LastPass user, it is highly likely that your online data is at risk. The following steps can however help users maintain internet security:
- Update passwords of important accounts immediately.
- Prioritize banking, email accounts, secure document storage, and other things as suggested by TechCrunch.
- Consider changing your password manager. You can go for other services like Bitwarden, Dashlane, and 1Password, these companies offer similar features and have a history of better track records in protecting user data.
- Choose a strong master password while creating an account, make sure it's new. An ideal password should be 12-16 random characters.
- Create an account on the hacking alert website Have I Been Pwned? which will send you updates in case your account has been breached.
