Password manager giant LastPass has confirmed that cybercriminals stole its customers’ encrypted password vault, which stores customers’ passwords and other secrets, on a data breach earlier this year.
exist Updated blog post LastPass CEO Karim Toubba said after the disclosure that intruders used cloud storage keys stolen from LastPass employees to obtain copies of customer vault data backups. The cache of the customer’s password vault is stored in a “proprietary binary format” that contains both unencrypted and encrypted vault data, but the technical and security details of this proprietary format are not specified. The unencrypted data included URLs stored in the vault, but LastPass did not say more or under what circumstances. It’s unclear how recent the stolen backups are.
LastPass said customers’ password vaults are encrypted and can only be unlocked with the customer’s master password, which only the customer knows. But the company warned that the cybercriminals behind the intrusion “may attempt to use brute force to crack your master password and decrypt copies of the vault data they obtained.”
Cybercriminals also stole a large amount of customer data, including names, email addresses, phone numbers and some billing information, Toubba said.
password manager is overwhelmingly good Used to store your passwords, which should be long, complex, and unique for each site or service. But security incidents like this remind us that not all password managers are created equal and can be attacked or compromised in different ways. Given that everyone’s threat model is different, no one will have the same requirements as everyone else.
In rare cases like this one (not a typo) – we are in Our Analysis of the LastPass Data Breach Notification — If the bad guys have access to a customer’s encrypted password vault, “all they need is the victim’s master password.” The strength of an exposed or compromised password vault depends on the encryption and password used to encrypt it.
The best thing you can do as a LastPass customer is to change your current LastPass master password to a new unique password (or passwords), write it down and keep it in a safe place. This means your current LastPass vault is safe.
If you think your LastPass password vault might be compromised — for example, if your master password is weak or you’ve used it elsewhere — you should start changing the passwords stored in your LastPass vault. Start with the most important accounts, like your email account, your cell phone plan account, your bank account, and your social media accounts, and work your way down the priority list.
the good news is Any account protected by two-factor authentication will make it harder for an attacker to gain access to your account without a second factor such as a phone popup or text or email code. That’s why it’s important to secure these second-factor accounts first, such as your email accounts and cell phone plan accounts.