It’s time to update your passwords and account information if you use LastPass. And after that, it is ideal for removing the new information from the password manager. This is due to LastPass’s admission that hackers stole user password vaults that were encrypted and other private information. This is the most recent information provided by the corporation regarding a security incident involving the theft of the platform’s source code, which was initially revealed in August 2022. Once obtained, source code gives hackers a better understanding of closed systems and increases a platform’s susceptibility to attacks.
When the business acknowledged it had “detected odd behaviour within a third-party cloud storage provider,” it was disclosed in November 2022 that this had occurred.
The company’s CEO Karim Toubba claimed in a recent blog post that those hackers had obtained access to additional “credentials and keys which were utilised to access and decrypt various storage volumes within the cloud-based storage service. It is concerning that LastPass has not disclosed the number of affected users.
Additionally, crucial user information, such as “company names, billing addresses, email addresses, end-user names, telephone numbers and IP addresses that were used to access the LastPass account”, was also stolen by the hackers. The most worrisome part is that they copied a backup of customer vault data from the encrypted storage container. “Unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields, such as website usernames and passwords, secure notes, and form-filled data” are also included in this data.
The security of the “encrypted fields” has not been compromised, says LastPass, and they can be “decrypted only with a unique encryption key derived from each user’s master password.
The master password is not kept on the platform directly. The company says that “only the local LastPass user can execute data encryption and decryption.” To reassure clients, the business also asserts that “there is no evidence that any unencrypted credit card data was accessed.”
The company further went on to say that for “enterprise customers”, it uses a “zero Knowledge Architecture” alongside deploying a secret master password to encrypt vault data.
How can you protect your account?
Users must swing into action to protect their data and account information. Users are advised to change all passwords stored on the account. This is because LastPass claims it will be immensely challenging for hackers to guess the master passwords. However, ensure that you adhere to the best password practices to safeguard your information. Your entire data will be at risk of being compromised if you have a master password that can be easily guessed. For master passwords, a minimum of 12 characters are advised, along with certain digits and special symbols. Additionally, it is advised against using the master password on another website.
The company has also stated that hackers will target customers with brute force attacks like phishing attacks, credential stuffing, etc. Thus, if you happen to see a mail in your inbox that claims to be from LastPass and enquires for your personal information, then DO NOT click on it.