LastPass confirms customer password vaults were stolen
Vaults are encrypted, but that may not help protect LastPass users
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
The data breach incident that hitpassword managerLastPass earlier this year saw the thieves crooks steal encrypted password vaults belonging customers, the company has confirmed.
The password vault is where people keep their passwords, so should the attackers find a way to decrypt the vaults, they’d be able to read all of the passwords saved in there.
In anupdatepublished on the LastPass blog, CEO Karim Toubba said that the threat actors usedcloud storagekeys stolen from a LastPass employee to access and exfiltrate customer vault data. The data stolen is a combination of encrypted intelligence - password vaults, and unencrypted information - vault-stored web addresses, names, email addresses, phone numbers, and in some cases - billing information.
Master password secure
The good news is that the password vaults are stored in a “proprietary binary format”, meaning that it’s close to impossible to actually read the contents. For that, the attackers would need the customer’s master password, which no one but the user (hopefully) knows. LastPass claims not to know this info.
“These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture,” Toubba said. “As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass.”
These are the best ID theft protection tools around>Here’s our LastPass review>LastPass hacked: Should you be worried about your passwords?
Still, the company warned cybercriminals “may attempt to use brute force to guess your master password and decrypt the copies of vault data they took,” which could be a problem if the users created weak and easy-to-guess master passwords.
For those worried their master password might be cracked, the best thing to do right now would be to change it to something more resilient. If you have reason to believe the contents of your vault might be compromised, then changing the passwords is the only way to stay safe (aside from setting up multi-factor authentication whenever possible).
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
This new phishing strategy utilizes GitHub comments to distribute malware
Should your VPN always be on?
Red One isn’t perfect but it proves we need more action-packed Christmas movies
