Tech
We Just Learned That Hackers Stolen LastPass Password Vaults
LastPass Password Vaults
LastPass has issued an updated statement regarding a recent data breach: the company, which promises to keep all of your passwords in one secure location, is now claiming that hackers were able to copy a backup of customer vault data, which means they theoretically now have access to all of those passwords if they can crack the stolen vaults.
If you use LastPass to store passwords and login information, or if you used to have one and didn’t erase it before this fall, your password vault could be in the hands of hackers. Nonetheless, the organization claims that if you have a strong master password and the most recent default settings, you may be protected.
However, if you have a weak master password or less security, the company recommends that you consider decreasing risk by changing the passwords of websites you have stored as an extra security measure. That could imply updating the passwords for all of the websites you trusted LastPass to keep.
LastPass says that passwords are still safeguarded
While LastPass says that passwords are still safeguarded by the account’s master password, considering how it’s handled these exposures, it’s difficult to believe that. When the company revealed the hack in August, it stated that it did not believe any user data had been accessed.
Then, in November, LastPass announced that it had discovered an intrusion, which appeared to be based on information stolen in the August event (it would have been good to learn about that possibility between August and November). Because of this infiltration, someone was able to get access to certain parts of consumer information.
It turns out that those certain aspects were, you know, the most crucial and sensitive information stored by LastPass. According to the firm, there is no evidence that any unencrypted credit card data was obtained, yet that would have been better than what the hackers got away with. At the very least, canceling a card or two is simple.
LastPass CEO Karim Toubba says the vaults were stolen.
The threat actor was also able to copy a backup of customer vault data from the encrypted storage container, which is stored in a proprietary binary format that contains both unencrypted data like website URLs and fully-encrypted sensitive fields like website usernames and passwords, secure notes, and form-filled data.
According to Toubba, the only way a bad actor could access that encrypted data, and thus your passwords, is through your master password. According to LastPass, it has never had access to master passwords.
That’s why, according to him, it would be extremely difficult to attempt to brute force guess master passwords, as long as you had a very good master password that you never reused (and there wasn’t some technical flaw in the way LastPass encrypted the data — though the company has made some pretty basic security mistakes in the past).
LastPass says using its recommended defaults should protect
However, anyone who possesses this data could attempt to unlock it by guessing random passwords, often known as brute-forcing. LastPass says using its recommended defaults should protect you from such an attack, but it doesn’t specify any feature that would prevent someone from repeatedly trying to unlock a vault over days, months, or years.
It’s also possible that people’s master passwords are available in other ways — if they re-use their master password for other logins, it might have slipped out during previous data breaches.
It’s also worth noting that if you have an older account (prior to a revised default option implemented after 2018), your master password may have been protected by a weaker password-strengthening process.
Password-Based Key Derivation Function
LastPass currently utilizes a stronger-than-typical implementation of 100,100 iterations of the Password-Based Key Derivation Function, yet when a Verge staff member verified their older account using a link included in the company’s blog, it said their account was set at 5,000 iterations.
Perhaps the most worrying aspect is the unencrypted data, which includes URLs and could provide hackers with information about which websites you have accounts with. If they decide to target specific users, that information might be extremely useful when paired with phishing or other sorts of assaults.
None of that is good news, but any organization storing secrets in the cloud could experience it. In cybersecurity, it’s not how you react to crises that matter.
LastPass has failed me here. Remember, it’s making this news three days before Christmas, when many IT teams will be on vacation and workers won’t be paying attention to password manager upgrades. (The notification mentions copying vaults five paragraphs in.) While some information is bolded, a major announcement should be at the top.)
LastPass says the vault backup wasn’t hacked in August; the threat actor utilized information from that breach to target an employee with access to a third-party cloud storage service.
The vaults and backups including basic customer account information and related metadata were stored in and copied from one of the cloud storage volumes. LastPass says that includes corporate names, end-user names, billing addresses, email addresses, phone numbers, and IP addresses.
Related CTN News:
