Hackers stole LastPass encryption password vaults and now we’re just hearing all about it

LastPass offers a variety of services. Updated ad About a recent data breach: The company — which promised to keep all of your passwords in one secure place — says the hackers were able to “back up your customer’s vault data,” meaning they could now theoretically access all of those passwords if they could. From stealing safes (Through Techcrunch).

Your password vault could be at risk if you have an account you use to store passwords or login information on LastPass. The company claims that your password vault may be protected if you have a strong master passphrase and the most recent default settings. The company warns that if you have a weak password or a lower level security, you should change any website passwords you have stored to reduce your risk.

This could involve changing the passwords of every website you trust LastPass to store.

LastPass claims that passwords are still protected by the master password. However, it is difficult to believe his words given the way LastPass handles such disclosures.

When the company It was declared breached in AugustShe stated that she was not convinced user data had been accessed. LastPass confirmed the incident in November. Intrusion detectionThis company apparently relied on August’s stolen information. It would have been nice if this possibility was made known sometime between August & November. This snooping allows someone “access certain elements” to a customer’s data. These “checked items”, it turns out, were the most sensitive and confidential items LastPass stores had access to. The company claims there is “no evidence” that unencrypted credit cards data was accessed. However, that’s still better than what hackers have done. It’s still possible to cancel a few cards.

Cloud storage is used to back up vaults of customers

We’ll show you how it all happens in a few moments, but here’s what Karim Tuba (CEO of LastPass) has to say regarding the theft of vaults.

The threat actor was also capable of backing up customer vault data from an encrypted storage box that contained unencrypted data such as website URLs and other sensitive data. Secure fields like website usernames, passwords, secure note, and form-filled data are fully encrypted.

Toubba believes that the only way for a malicious actor to gain access encrypted data and thus your passwords would be through your master password. LastPass claims that it never had master passwords.

That’s why, he said, “it would be very difficult to try to force guessing master passwords” as long as you had a really good master password that you never used again (and as long as there wasn’t some technical flaw in the way LastPass encrypted the data—although the company She did some Very basic security bugs before). However, anyone could try to unlock the data by guessing random passwords (or AKA brute force).

LastPass suggests that you use the default settings. ShouldAlthough it protects you against this type of attack it doesn’t mention any feature that would stop someone from trying to open vaults over and over for days, months, or years. It is possible that master passwords of people could be accessed in another way – if someone used their master password for multiple logins, it may have been compromised during other data breaches.

It’s also worth noting that if you had an older account (before the newer default introduced after 2018), a weaker password-strengthening process may have been used to protect your master password. LastPass states that it currently uses a stronger than normal implementation of 100,100 iterations in password-based key derived functionality. However, LastPass does not specify when this will change. edgeOne of the employees inspected their accounts. LinkIt was posted by the company on their blog. They informed them that their account was set at 5,000 iterations.

The most worrying thing is the unencrypted information. It includes URLs and could give hackers a clue about which websites you have accounts with. Combining phishing and other attacks with it, this information can provide valuable information if they choose to target specific users.

If I was a LastPass user, I wouldn’t be happy with the way the company shared this information.

Although none of this is good news, it could happen to any company that has secrets stored in the cloud. The name of cybersecurity is not a 100% track record. It’s about how you respond to disasters that happen.

LastPass’s performance here is a complete failure, in my opinion.

Remember, they’re making this announcement today, on December 22nd — three days before Christmas, which is when many IT departments are pretty much on vacation, and when people aren’t likely to care about updates from their password manager.

(Also: the ad doesn’t even get to copy safes. Five paragraphs are included in. Although some of the information is a bit dark, it is reasonable to expect such an important announcement at the top.

LastPass claims that its vault backup was not compromised in August. Instead, he says that the threat actor used the information to target an employee who had access to a third party cloud storage service. The vaults were copied from one of the cloud storage folders that had been accessed, along with backups that contained “basic customer information and related metadata”. According to LastPass, that includes information such as company names, end-users names, billing addresses and email addresses as well phone numbers and IP addresses where customers accessed LastPass.

Tuba said that the company is taking all precautions in light of the breach. Tuba also stated that the secondary breach exposed backups. Tuba added more logs to detect suspicious activity in future, rebuilt its development environment, and rotated credentials.

This is fine. You should do these things. I would consider leaving LastPass if you were a LastPass customer. This is because there are two possible scenarios. Either the company did not know that backups containing vaults of users were running a cloud storage company when it announced it had detected unauthorized activity. Normal was observed on November 30th. I didIt is aware that hackers can access the information and refuses to tell customers. None of those are good looks.

Source link

[Denial of responsibility! reporterbyte.com is an automatic aggregator of the all world’s media. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials, please contact us by email – reporterbyte.com The content will be deleted within 24 hours.]

Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

Tesla claims I’ll lose $300 on that wireless charger

Next Post

Maybe Google is hitting the panic button to guard searches from ChatGPT

Related Posts