LastPass finally admits attackers have a copy of customers’ password vaults

Customers of password manager LastPass have been informed that during the attack on its servers in August 2022, unidentified persons copied encrypted files containing the passwords to their accounts.

The August 2022 attack saw “some source code and technical information being stolen from our development environment and used to target another employee, obtaining credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service,” according to a December 22 update to the incident’s advice from LastPass.

The attacker was able to copy data “that contained basic customer account information and related metadata, including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service” thanks to the use of hose credentials.

According to the update, the hacker also copied information from the “customer vault” file, which LastPass users to store their passwords.

This file “is saved in a proprietary binary format and contains both fully-encrypted sensitive fields, such as website usernames and passwords, secure notes, and form-filled data, as well as unencrypted data, such as website URLs.”

It implies that the attackers have access to user passwords. Thank goodness, though, that these passwords are encrypted with “256-bit AES encryption and can only be decrypted with a unique encryption key created from each user’s master password.”

Customers who utilise LastPass’ default settings are advised that even though attackers have access to that file, they are unaffected by this upgrade because “it would take millions of years to guess your master password using generally available password-cracking technologies.”

Not reusing the master password needed to access LastPass is one of the default options. The company advises that you create a complicated password and only use it to access LastPass.

However, users frequently display mind-bogglingly careless password selection, with two thirds of users reusing passwords despite the fact that they should know better.

Oh, and don’t forget that the LastPass client vault has plenty of other secure spaces for storing private data.

Therefore, LastPass provided the following guidance to both individual users and business users:

If your master password does not make use of the defaults above, then it would significantly reduce the number of attempts needed to guess it correctly. In this case, as an extra security measure, you should consider minimizing risk by changing passwords of websites you have stored.

Dear reader, enjoy changing all those passwords.

The update from LastPass ends with the announcement that the compromised systems have been decommissioned and new infrastructure with increased security has been constructed.

Suggest an edit to this article

Cybersecurity Knowledge Base

Homepage

Remember, CyberSecurity Starts With You!

• Globally, 30,000 websites are hacked daily.
• 64% of companies worldwide have experienced at least one form of a cyber attack.
• There were 20M breached records in March 2021.
• In 2020, ransomware cases grew by 150%.
• Email is responsible for around 94% of all malware.
• Every 39 seconds, there is a new attack somewhere on the web.
• An average of around 24,000 malicious mobile apps are blocked daily on the internet.