Menu Close

LastPass says hackers stole customers’ password vaults

Password manager giant LastPass has confirmed that cybercriminals stole its customers’ encrypted password vaults, which store its customers’ passwords and other secrets, in a data breach earlier this year.

In an updated blog post on its disclosure, LastPass CEO Karim Toubba said the intruders took a copy of a backup of customer vault data by using cloud storage keys stolen from a LastPass employee. The cache of customer password vaults is stored in a “proprietary binary format” that contains both unencrypted and encrypted vault data. The unencrypted data includes vault-stored web addresses, but LastPass does not say more or in what context. It’s not clear how recent the stolen backups are.

LastPass said customers’ password vaults are encrypted and can only be unlocked with the customers’ master password, which is only known to the customer. But the company warned that the cybercriminals behind the intrusion “may attempt to use brute force to guess your master password and decrypt the copies of vault data they took.”

Toubba said that the cybercriminals also took vast reams of customer data, including names, email addresses, phone numbers and some billing information.

Password managers are overwhelmingly a good thing to use for storing your passwords, which should all be long, complex and unique to each site or service. But security incidents like this are a reminder that not all password managers are created equal and can be attacked, or compromised, in different ways. Given that everyone’s threat model is different, no one person will have the same requirements as the other.

In a rare shituation (not a typo) like this — which we spelled out in our parsing of LastPass’s data breach notice — if a bad actor has access to customers’ encrypted password vaults, “all they would need is a victim’s master password.” An exposed or compromised password vault is only as strong as the encryption — and the password — used to scramble it.

The best thing you can do as a LastPass customer is to change your current LastPass master password to a new and unique password (or passphrase) that is written down and kept in a safe place. This means that your current LastPass vault is secured.

If you think that your LastPass password vault could be compromised — such as if your master password is weak or you’ve used it elsewhere — you should begin changing the passwords stored in your LastPass vault. Start with the most critical accounts, such as your email accounts, your cell phone plan account, your bank accounts and your social media accounts, and work your way down the priority list.

The good news is that any account protected with two-factor authentication will make it far more difficult for an attacker to access your accounts without that second factor, such as a phone pop-up or a texted or emailed code. That’s why it’s important to secure those second-factor accounts first, like your email accounts and cell phone plan accounts.

LastPass says hackers stole customers’ password vaults by Zack Whittaker originally published on TechCrunch

Password manager giant LastPass has confirmed that cybercriminals stole its customers’ encrypted password vaults, which store its customers’ passwords and other secrets, in a data breach earlier this year. In an updated blog post on its disclosure, LastPass CEO Karim Toubba said the intruders took a copy of a backup of customer vault data by
LastPass says hackers stole customers’ password vaults by Zack Whittaker originally published on TechCrunch   TechCrunch 

Generated by Feedzy

Disclaimer

Innov8 is owned and operated by Rolling Rock Ventures. The information on this website is for general information purposes only. Any information obtained from this website should be reviewed with appropriate parties if there is any concern about the details reported herein. Innov8 is not responsible for its contents, accuracies, and any inaccuracies. Nothing on this site should be construed as professional advice for any individual or situation. This website includes information and content from external sites that is attributed accordingly and is not the intellectual property of Innov8. All feeds ("RSS Feed") and/or their contents contain material which is derived in whole or in part from material supplied by third parties and is protected by national and international copyright and trademark laws. The Site processes all information automatically using automated software without any human intervention or screening. Therefore, the Site is not responsible for any (part) of this content. The copyright of the feeds', including pictures and graphics, and its content belongs to its author or publisher.  Views and statements expressed in the content do not necessarily reflect those of Innov8 or its staff. Care and due diligence has been taken to maintain the accuracy of the information provided on this website. However, neither Innov8 nor the owners, attorneys, management, editorial team or any writers or employees are responsible for its content, errors or any consequences arising from use of the information provided on this website. The Site may modify, suspend, or discontinue any aspect of the RSS Feed at any time, including, without limitation, the availability of any Site content.  The User agrees that all RSS Feeds and news articles are for personal use only and that the User may not resell, lease, license, assign, redistribute or otherwise transfer any portion of the RSS Feed without attribution to the Site and to its originating author. The Site does not represent or warrant that every action taken with regard to your account and related activities in connection with the RSS Feed, including, without limitation, the Site Content, will be lawful in any particular jurisdiction. It is incumbent upon the user to know the laws that pertain to you in your jurisdiction and act lawfully at all times when using the RSS Feed, including, without limitation, the Site Content.  

Close Bitnami banner
Bitnami