LastPass, one of the internet’s most popular password management services, just provided another update about the cybersecurity breach that took place in late November. Turns out that hackers were able to steal a lot of sensitive data this time. a
In a blog post published by the company concerning the incident, LastPass acknowledged that the August 2022 breach enabled bad actors to access some of its systems after the security credentials of one of its employees were compromised.
In November, the hackers used the access keys for one of the company’s cloud storage services and some decryption keys to copy basic contact information from customers from a backup file that contained end-user names, billing addresses, e-mail addresses, and telephone numbers – among other sensitive data.
In addition, the hackers were able to copy a backup of customers’ vault data, which include both encrypted (passwords and usernames) and non-encrypted data (website URLs). Since the passwords held within the LastPass system are stored locally and can only be decrypted by accessing the user’s master password, the encrypted data appears to be safe according to the company.
Moreover, LastPass stated that its findings do not indicate that unencrypted credit card data was accessed as the company does not store full credit card numbers while the data is archived in another cloud storage environment.
I Was a Victim of the LastPass Breach, Here’s What Hackers Tried to Do
On a personal note, I have been a user of LastPass for many years and I was recently the target of a phishing attack. Fortunately, I was able to recognize what it was since the beginning and canceled the card right after noticing what was happening
The modus operandi of the hackers was quite clever. They charged my card with a small amount and sent me e-mails and made phone calls that prompted me to talk to an agent about a potentially fraudulent transaction on my card.
Even though I have no proof, the timeline of the attack coincides perfectly with the LastPass breach. I held the data from my card on a secure note, which should supposedly be encrypted.
Hackers May Try to Brute Force Users’ Master Password
According to LastPass, hackers may attempt to use brute force software to guess the master password of users. The fact that they possess certain key personal data from the users facilitates this task.
The company said that those who follow its best practices guidelines for setting up their master passwords should be relatively safe. Users should stay on full alert for any possible social engineering and phishing attacks that may be used to retrieve their LastPass master password. LastPass said that its team will never contact a customer to ask for its master password for any reason.
LastPass’ business customers were also affected by the breach. However, the company stated that those that have implemented Federated Login Services do not need to take any immediate actions to protect themselves.
However, customers who did not use this feature and whose master password does not comply with the company’s suggested best practices may be subject to brute force attempts that will have a higher chance of success.
What is LastPass and Why Do People Use It?
Password management apps are quite useful for individuals who need to regularly access a large number of websites as part of their routine activities. With LastPass, people can download an extension to their browser and the system will automatically fill in the required username and password fields to complete the login process.
LastPass’s passwords and usernames are protected by the firm’s Zero Knowledge architecture. By design, LastPass does not know the master password of a user. Instead, the decryption of the user’s vault is performed locally, meaning that the decryption keys are not transmitted to LastPass’s servers at any point.
This protects the user from having their usernames and passwords syphoned from the company’s servers. However, this latest breach is still harmful and detrimental to the well-being of those affected as bad actors have managed to get their hands on a large amount of personal data that can be used for malicious purposes.
Disclaimer: This is a paid release that was not written by Crypto Online News. The statements, views and opinions expressed in this column are solely those of the content provider and do not necessarily represent those of Crypto Online News. Crypto Online News does not guarantee the accuracy or timeliness of information available in such content. Do your research and invest at your own risk.
Comments