Despite being one of the most popular password managers on the market, LastPass has suffered another major breach, putting the passwords of customers risk as well as their personal information.
It was established just over a year ago that LastPass, a popular password manager that stores customers' passwords and other sensitive information in encrypted vaults, had been compromised by cybercriminals as a result of a data breach.
Karim Toubba, the CEO of LastPass who announced the hack, explained that the attackers took a copy of a backup of the information stored in a customer's vault as part of their intrusion. A LastPass employee used stolen cloud storage keys to access the data, which enabled them to steal keys from the company.
There are several different ways in which the cache of customer password vaults is kept. However, the specific technical and security details of this proprietary format were not disclosed. The data is stored in both an unencrypted and encrypted format.
It has been discovered that some of the web addresses that are stored in the vault, in the data that was not encrypted, are unencrypted. At this point, it is not known exactly when on the calendar the backups were stolen.
As a result of an unauthorized party gaining access to the LastPass subscriber account, it was discovered that unencrypted personal data from subscribers' accounts including LastPass user names, company names, billing addresses, email addresses, and phone numbers, as wetland l as IP addresses had been accessed by the unauthorized party. As far as Toubba is concerned, this is certainly the case. As a result of this same unauthorized party gaining access to the vault data of customers, a copy of that data was also stolen. The data stored in the vault by customers is both encrypted and unencrypted. This includes URLs of websites and usernames and passwords for all of the sites that are stored in the vault by customers.
Password vaults on LastPass are encrypted and can be accessed only with the customer's master password.
It is worth mentioning that the company has warned that the cybercriminals who are the culprits of this intrusion may try to decrypt the copies that they took of the vault data by using brute force to guess your master password.
Besides the names, email addresses, phone numbers, and some billing information of more than 300,000 of Toubba's customers, the cybercriminals took vast amounts of information from their accounts as well.
For storing your passwords, password managers are overwhelmingly a smart idea as they enable you to create long, complex, and unique passwords for each website or service you are using. If you do not already do so, you should. However, security incidents like this remind us that not all password managers are created equal. This may mean that different ways can be used to attack, or compromise, password managers. It is very significant to take into consideration that everyone's threat model differs, so no one's requirements will be the same as someone else's.
There are some rare circumstances (not typos) like this in which a bad actor may be able to access encrypted password vaults of customers, and if he or she does, then “all they need is the master password” of the victim if the bad actor gets access to those vaults. It is only as strong as the encryption used to scramble a password vault that has been exposed or compromised.
As a LastPass user, the most helpful thing you can do for yourself is to update your current master password from the one you currently have to one that is written down, preferably in a safe place and unique from the old password (or passphrase). As a result, you can rest assured that your current LastPass vault is protected.
You must begin changing all of the passwords stored in your LastPass vault as soon as you suspect your LastPass vault might be compromised - for instance, if your master password is weak or if you have used it elsewhere - such as your master password is weak. Identify the most critical accounts first, such as your email account, your mobile phone account, your bank account, and your social media account. These are the ones that you use most frequently. Start at the top of the priority list and work your way down from there.
There is a possibility that if you are a subscriber to LastPass, you may want to look for another password manager in light of the severity of this breach. There is a serious risk of exposing your passwords and personal information if your computer is hacked by an unauthorized person.
Is there anything LastPass customers should do?
If you are a LastPass subscriber, here's what you need to do right now to make sure that you have the latest version:
1. Look for a new password manager to keep track of your passwords
The severity of the latest breach and the history of security incidents with LastPass bring more reasons than ever to consider a different alternative, especially when you consider the company's history of security incidents.
2. The most important password on your site should be changed immediately
Several passwords are frequently forgotten, such as those used for online banking, financial records, internal company logins, as well as medical records.
CNET asked LastPass to answer additional questions it had regarding the breach. However, the company failed to respond to the questions, and the company would not clarify how many users were affected by the breach. However, if you are a LastPass subscriber, you have to live with the fact that nobody knows who has access to your user and vault data. You are putting your trust in that party.
