Password manager LastPass encountered a security breach in August this year, which led to the loss of confidential technical data and a part of the company’s source code. Hackers later used the stolen information to hack LastPass again at the end of November.
LastPass has returned with a new statement regarding the effects of its security breach.
Threat Actors Stole LastPass Customer Data Vaults
The well-known password management service disclosed on Thursday that, using information stolen from the earlier break-in, threat actors could steal a trove of personal data belonging to its users, including their encrypted password vaults.
Early in December, the extent of the attack was unclear, but now the business has disclosed that hackers also took copies of users’ password vaults, emails, names, phone numbers, billing addresses, and more.
LastPass CEO Karim Toubba said in a new blog post that attackers made a backup copy of client vault data by stealing cloud storage keys from a LastPass employee.
The customer password vault cache is saved in a “proprietary binary format,” including encrypted and unencrypted vault data.
However, this proprietary format’s security and technical specifics weren’t provided. Vault-stored web addresses are among the unencrypted data.
The hackers also stole a backup of client vault data, which contained both encrypted and unencrypted information, such as secure notes, website usernames, and passwords. It’s unclear how recent the backups that were stolen are.
In addition, according to LastPass, the encrypted fields are protected with 256-bit AES encryption and can only be unlocked with a special encryption key created using the user’s master password.
The master password is never known to the firm and isn’t saved or maintained by the company because LastPass uses a Zero Knowledge architecture.
How Can You Protect Your Passwords?
However, suppose you have a weak master password or less security. The company recommends that you decrease risk by changing the passwords of sites you have saved as an extra security measure.
Despite LastPass’s assurance that the account’s master password still protects passwords, it’s difficult to believe it, considering how it’s handled recent disclosures.
If you suspect your LastPass password vault has been compromised — for example, if you’ve used it elsewhere or your master password is weak — start updating your vault passwords.
Work down the priority list, starting with the most important accounts, such as your bank accounts, cell phone plan account, and social media accounts.
The good news is that two-factor authentication makes it much harder for a hacker to access your credentials without the second factor, which can be a text message, a phone pop-up, or an email with a code.
That’s why it’s critical to safeguard your second-factor accounts first, such as your cell phone plans and mail accounts.
LastPass’s Advice
LastPass mentioned that even though the business used hashing and encryption techniques to safeguard client data, malicious actors might try “brute force” methods to discover users’ master passwords and decode the copies of the vault data they stole.
LastPass has already been criticized for questionable security procedures. LastPass subscribers reported many attempted logins using accurate master passwords from various places in December 2021.
The business informed customers that password leaks from third-party breaches led to attacks.
With that said, LastPass has fully rebuilt its development environment, adopted strict procedures, and added authentication features to make it impossible for this kind of hack to happen again.
The business is working behind the scenes to find any unusual behavior in the cloud backup storage. Additionally, they’re identifying the precise data obtained during the hack, improving their safeguards, and informing business clients of the best course of action.