A big hack The impact on password manager giant LastPass appears to be far worse than first thought. In an update announcement two days before Christmas, LastPass CEO Karim Toubba admitted that the attackers were able to successfully copy a backup of customer vault data. With this data in hand, the attackers could potentially access users’ entire collection of passwords and other data stored at LastPass if they figured out a way to guess a user’s Master Password.
To prevent an immediate spike in heart attacks, Toubba warned that it was “extremely difficult” to brute-force guess master passwords for customers using the company’s default settings and best practices. For those users, it could take “millions of years” for attackers to crack those codes using “commonly available password-cracking technology,” according to the CEO. LastPass says it shouldn’t have access to users’ Master Passwords.
However, this peace of mind does not necessarily apply to users with weaker Master Passwords. In these cases, LastPass advised users to change the passwords of all websites they have saved could mean a busy, tedious day of frantically resetting account information awaits you. And while it may be true that strong master passwords are difficult to guess, even the strongest passwords could be compromised if used another site that was previously infringed. There is no defect from previously hacked passwords that only reside on dark web markets. Affected LastPass customers may also be inundated with annoying phishing attempts trying to trick them into unknowingly handing over their keys to the kingdom.
In addition to the passwords, Toubba said the stolen vault data contained “fully encrypted sensitive fields such as website usernames and passwords, secure notes and form data” along with unencrypted URLs. Sophisticated Attacks, The Verge Remarkscould use information submitted about the websites a user visits to create more convincing phishing campaigns.
LastPass did not immediately respond to Gizmodo’s request for comment.
For a company whose main service is collecting and protecting passwords in one safe place, this is as bad as it gets. LastPass first disclosed the latest attacks in a blog post late last month. At the time, the company cryptically claimed that the attacker was able to access “certain elements” of “customer information” without providing any details. The company went on to say that no customer passwords were affected by the incident, which is technically true, but as we now know, it only tells part of the story.
Making matters worse seems to have been this recent hack made possible by a previous incident that was only six months ago. In this case, according to the company, the attacker apparently stole “source code and technical information” from his development environment and used it to target an employee in order to obtain his access data.
You see, in a digital world where users must have dozens and dozens of credentials, password managers are increasingly becoming a security must-have. At the same time, this high concentration of sensitive information is what makes password manager sites stand out some of the most delicious Goals for Bad Actors. LastPass should have seen this coming and should have shared those details with customers sooner if the insights had been available.
https://gizmodo.com/hackers-lastpass-users-password-vaults-change-now-1849926968 Hackers Had Access to LastPass Users’ Password Vaults