The company that promises to keep all your passwords in one, secure place now says that hackers were able to copy a backup of customer vault data, meaning they now have access to all those passwords.
If you have an account you use to store passwords and login information on LastPass, or you used to have one and hadn't deleted it before this fall, your password vault could be in hackers' hands. The company says you might be safe if you have a strong master password. Changing passwords of websites you have stored is an extra security measure and should be considered if you have a weak password.
Changing the passwords for every website you trust could be part of that.
It is difficult to just take its word for it, given how it has handled these disclosures.
The company said at the time that it didn't believe user data had been accessed. It would have been nice to hear about the possibility of an intrusion between August and November. Someone gained access to certain elements of the customer information. Those are the most important and secret things that LastPass has. The company says there is no evidence that credit card data was accessed, but it would have been better if the hackers had gotten away with it. It is possible to cancel a card.
Customers had a backup of their vaults.
Here is what the CEO of LastPass is saying about the vaults being taken.
The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.
According to Toubba, the only way a malicious actor could get at that data is by using your master password. LastPass doesn't have access to master passwords.
He says it would be difficult to brute force guess master passwords if you had a very good master password that you never reuse. A brute-forcing method could be used to gain access to this data.
It doesn't mention any sort of feature that would prevent someone from repeatedly trying tounlock a vault for days, months, or years, but it does say that using its recommended defaults should protect you from that kind of attack. If someone re-uses their master password for other logins, it is possible that it will be leaked out during other data breeches.
If you have an older account, a weaker password-strengthening process might have been used to protect your master password. According to LastPass, it currently uses a stronger-than-typical implementation of 100,100 iteration of the Password-Based Key Derivation Function.
The unencrypted data could give hackers an idea of which websites you have accounts with. Powerful information could be obtained if they decided to target specific users.
I wouldn't be happy with the way the company has disclosed this information.
It is not good news, but it is possible that something could happen to any company storing secrets in the cloud. When disasters happen, the name of the game is how you react to them.
I think that LastPass failed here.
This announcement will be made on December 22nd, three days before Christmas, when many IT departments will be on vacation, and when people aren't likely to pay attention to password manager updates.
The announcement doesn't tell the whole story about the vaults being copied until five paragraphs in. While some of the information is bold, I think it is fair to expect that the announcement would be at the very top.
The vault backup wasn't initially compromised in August but the threat actor used info from that to target an employee who had access to a third-party cloud storage service The vaults were kept in and copied from one of the volumes accessed in that cloud storage. It includes things like billing addresses, email addresses, telephone numbers, and company names.
Adding more logging to detect suspicious activity in the future is one of the precautions the company is taking as a result of the initial breach.
It should do those things and do it well. If I were a LastPass user, I would be seriously considering moving away from the company at this point, because we are looking at one of two scenarios here: either the company didn't know that backups were on the cloud storage service when it announced that it It's a bad look.