Arabic Arabic Chinese (Simplified) Chinese (Simplified) Dutch Dutch English English French French German German Italian Italian Portuguese Portuguese Russian Russian Spanish Spanish
| (844) 627-8267

LastPass admits hackers stole encrypted user password vaults: How to protect your account | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker

If you are a LastPass user, it is time to update all your passwords and account details. And once that is done, one should ideally move the new data away from the password manager. That’s because LastPass has admitted that hackers stole encrypted user password vaults and other sensitive details. This is the company’s latest update regarding a security incident that was first reported in August 2022 where hackers had stolen the platform’s source code. Source code once compromised gives cybercriminals a closer look at proprietary systems and makes a platform more vulnerable to attacks. This is what was reported in November 2022, when the company admitted it had “detected unusual activity within a third-party cloud storage service.”

Now, in a new blog post, the company CEO Karim Toubba wrote that hackers gained access to other “credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service.” Worryingly, LastPass has not mentioned how many users are impacted.

Hackers also stole key user information such as “company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.” They were also able to “copy a backup of customer vault data from the encrypted storage container,” which is the most troubling bit of information. This data also includes “unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.” 

LastPass insists that the “encrypted fields” are still secure and “can only be decrypted with a unique encryption key derived from each user’s master password.” The platform does not store the master password itself. The company insists that “the encryption and decryption of data are performed only on the local LastPass client.” The company also is also claiming that “there is no evidence that any unencrypted credit card data was accessed,” as it tries to reassure customers.

For enterprise customers, the company claims it continues to use “Zero Knowledge architecture and implements a hidden master password to encrypt your vault data.” The company has notified “a small subset (less than 3%) of our Business customers to recommend that they take certain actions based on their specific account configurations.”

Still, this is an “ongoing investigation,” and users should note that more information will likely come to light around this in the coming months.

What does this mean for users? How to protect your account?

While LastPass is not saying this outright, clearly users need to take action to secure their account information. Hackers will need to use brute force to guess the master password and then decrypt the copies of the stolen vault data, but there are many risks involved. It is recommended users change all passwords stored on the platform. That’s because LastPass claims it will be “extremely difficult to attempt to brute force guess master passwords,” but “for those customers who follow our password best practices.”

However, there is plenty of evidence to show that not everyone has the best password practices.  If you are one of those with an easily guessed master password, your entire data is at risk of being compromised. LastPass is also warning that the hackers will “target customers with phishing attacks, credential stuffing, or other brute force attacks” to gain access to their accounts. If you get an email claiming to be from LastPass asking for personal information, do NOT click on it.

If you have a master password that is short, easily guessed or involves publicly available information about yourself, it is recommended that you change it immediately to avoid any further compromise to the account. A 12-character minimum is recommended for master passwords with numbers and special characters also in the mix.

It is also recommended not to reuse the master password on another website. While LastPass claims that those with secure master passwords need not worry, those who have not followed the recommended steps should “consider minimizing risk by changing passwords of websites you have stored.” Overall, it might be a good time to take stock of your digital security this weekend if you are a longtime LastPass user.

s.parentNode.insertBefore(t,s)}(window, document,’script’,
fbq(‘init’, ‘444470064056909’);
fbq(‘track’, ‘PageView’);


Click Here For The Original Story From This Source.

National Cyber Security