Password management giant LastPass has confirmed that cybercriminals have stolen a customer’s encrypted password vault, which stores customer passwords and other secrets, in a data breach this early year.
In an updated blog post About his disclosure, LastPass CEO Karim Toubba said the intruders took a backup of a customer’s vault data using stolen cloud storage keys from a LastPass employee. . The customer password vault cache is stored in a “proprietary binary format” containing both unencrypted and encrypted vault data, but the technical and security details of this proprietary format not specified. Unencrypted data including web addresses are stored in the vault, but LastPass says no more or in what context. It’s not clear how recently the backups were stolen.
LastPass says the customer’s password vault is encrypted and can only be unlocked with the customer’s master password, which is known only to the customer. But the company warned that the cybercriminals behind the hack “could try to use brute force to guess your master password and decrypt copies of vault data they’ve taken.”
Toubba said that cybercriminals also obtained a lot of customer data, including names, email addresses, phone numbers and some payment information.
Password manager is totally a good thing To be used to store your passwords, they must all be long, complex, and unique for each site or service. But security incidents like this are a reminder that not all password managers are created equal and can be hacked or compromised in different ways. Given that everyone’s threat model is different, no one will have the same requirements as the other.
In a rare case (not a typo) like this – which we spelled out in Our parse of LastPass data breach notifications — if a bad guy has access to a customer’s encrypted password vault, “all they need is the victim’s master password”. An exposed or compromised password vault is only as strong as encryption — and the password — used to obfuscate it.
The best thing you can do as a LastPass customer is to change your existing LastPass master password to a new and unique password (or passphrase) that is recorded and kept in a safe place. This means that your existing LastPass archive is secure.
If you think your LastPass password store could be compromised — for example, if your master password is weak or you’ve used it elsewhere — you should start changing the stored password. in your LastPass archive. Start with the most important accounts, such as your email accounts, cell phone plan accounts, bank accounts, and social media accounts, and work your way up to the priority list.
The good news is any account protected with two-factor authentication would make it a lot harder for an attacker to get into your account without that second element, like a pop-up on your phone or a text texted or emailed code. That’s why it’s important to secure those second-factor accounts first, such as your email accounts and cell phone plan accounts.
