LastPass Admits Attackers Copied Password Vaults • The Register

Password Blocking LastPass has warned customers that when its systems were attacked in August 2022, unknown parties copied encrypted files containing the passwords into their accounts.

In a December 22 update on its guidance on the incident, LastPass updates customers by stating that in the August 2022 attack, “some source code and technical information was stolen from our development environment and used to target another employee attack to obtain credentials and keys used to access and decrypt some storage volumes within the cloud-based storage service.”

These credentials allowed the attacker to copy information “that contained basic customer account information and associated metadata, including company names, end user names, billing addresses, email addresses, phone numbers, and the IP addresses from which customers accessed the LastPass service to have”.

The update reveals that the attacker also copied “Customer Vault” data – the file LastPass uses to allow customers to record their passwords.

This file “is saved in a proprietary binary format that contains both unencrypted data such as website URLs and fully encrypted sensitive fields such as website usernames and passwords, secure notes and form data.”

This means the attackers have the users’ passwords. But thankfully, these passwords are encrypted with “256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password.”

LastPass’s advice is that although attackers have this file, customers using their default settings will have nothing to do with this update because “it would take millions of years to break your master password using commonly available password-cracking technology.” to guess. ”

One of those defaults is not to reuse the Master Password required to log in to LastPass. The outfit suggests you make it a complex credential and only use that password for one thing: accessing LastPass.

However, we do know that users are often surprisingly lax when it comes to choosing good passwords, while two-thirds reuse passwords when they should know better.

While LastPass is confident that the files copied from its cloud will resist brute-force attempts to crack the master password, if those credentials are already out there… you know how this ends, and it’s not pleasant since one LastPass account can store hundreds of passwords. ul class=”listinks”>

Oh, and let’s not forget that the LastPass Customer Vault can also store a lot of other sensitive personal information.

LastPass has therefore given the following advice to private and business customers:

Happy changing all those passwords, dear reader.

The LastPass update concludes with the news that the systems breached in August 2022 have been decommissioned and a new infrastructure built to provide additional protection. ®

https://www.theregister.com/2022/12/23/lastpass_attack_update/ LastPass Admits Attackers Copied Password Vaults • The Register

Rick Schindler

World Time Todays is an automatic aggregator of the all world’s media. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials, please contact us by email – admin@worldtimetodays.com. The content will be deleted within 24 hours.

Related Articles

Back to top button