On Aug. 25, online password manager LastPass reported the theft of some of its source code and proprietary information, but said there is no evidence customer information from its more than 33 million users or encrypted password vaults were accessed.
LastPass' Karim Toubba said a developer account had been breached, allowing an unauthorized party to access the company's development environment.
The unusual activity was detected two weeks ago, prompting an investigation.
Toubba said the company is working with a cybersecurity and forensics firm and has rolled out additional security measures.
LastPass stores encrypted login information that users can access online with a master password, but they cannot see customers' data.
From The Wall Street Journal
View Full Article - May Require Paid Subscription
Abstracts Copyright © 2022 SmithBucklin, Washington, DC, USA
LastPass users need to hear that the threat actors got unencrypted copies of the URLs in their vaults and metadata like their history of IP addresses accessing lastpass.com.
Furthermore, each vault's usernames, passwords, and notes are encrypted with only the master password. (Some other password managers use an additional secret key so guessing the master password won't suffice.) The threat actors have lots of time to try decrypting the vaults with lists of passwords stolen elsewhere, who knows how much GPU budget, hashed password caches, and spear-phishing attacks that appear to come from the customer's bank branch.
A vault's notes are likely to contain 2FA recovery keys, bank account numbers, security Q&A, and other sensitive data since LastPass was supposed to be well managed secure storage for such data.
The only protection now is to change all those passwords and keep them somewhere else.
Security researchers have much to say. E.g. https://palant.info/2022/12/26/whats-in-a-pr-statement-lastpass-breach-explained/
Displaying 1 comment