LastPass, a password manager giant, has confirmed that cybercriminals have accessed the encrypted password vaults of its customers. These vaults store passwords and other secrets. The breach occurred earlier in the year.
LastPass CEO KarimToubba stated that the intruders obtained a copy of a backup customer vault data using stolen cloud storage keys from an employee of LastPass.
The customer password vault cache is kept in a proprietary binary format that includes encrypted and unencrypted vault data. However, technical and security details were not disclosed.
LastPass doesn’t say much about the unencrypted data, including vault-stored web addresses. It needs to be made clear when the backups were stolen.
LastPass stated that password vaults of customers are encrypted and cannot be unlocked without the master password, which is known only to the customer.
The company warns that cybercriminals “may attempt to use brute force to guess your master password and decrypt the copies of vault data they took.”
Toubba stated that cybercriminals also stole vast customer data, including names, phone numbers, and billing information.
Password managers are an excellent tool for storing your passwords. They should be long, complex, and unique to each website or service.
These security incidents are a reminder that password managers can be compromised in many ways, and not all password management systems are the same. Because everyone has a different threat model, each person will have different requirements.
LastPass customers, it is a good idea to change their current master password to a unique passphrase or password you have written down and stored in a safe location. Your LastPass vault will be secured.
You should change the passwords in your LastPass vault if you suspect that your LastPass password vault may be compromised. It would be best to start with the most important accounts, like your email accounts, bank accounts, and social media accounts.
Two-factor authentication makes it much more difficult for attackers to access accounts protected by two-factor authentication. This includes a pop-up on your phone or an emailed code. Protecting second-factor accounts, such as your email or cell phone plan accounts, is important.