LastPass

A malicious actor copied personal information from LastPass' third-party cloud storage provider.

It also noted that while the company uses hashing and encryption methods to protect customer data, the malicious actors may use “brute force” in an attempt to guess customers’ master passwords and decrypt the copies of the vault data they stole. It recommended that those who do not follow these best practices change passwords for the websites they currently have stored in their LastPass account. [steal source code and technical information](https://www.cshub.com/attacks/news/lastpasss-source-code-stolen-in-data-breach) from LastPass’ development environment that was then used to target an employee.

Following breach, LastPass attackers have made off with unencrypted customer data and copies of backups of customer vault data.

I don’t doubt many users will be disappointed with LastPass and will be looking for an alternative password manager to store their passwords – perhaps even one that’s not cloud-based (though that comes with drawbacks, such as no password syncing capabilities, which makes life more difficult). Evaluate the content of your secure notes and data that LastPass automatically inserts in online forms, and change what can be changed. They know the users’ name, email address and phone number, and the online services they use, so users should be on the lookout for a variety of phishing attempts in the coming days and months. And if you were using a weak (or worse, previously leaked) master password when they were stolen, you’re screwed,” LastPass says that, if users followed best security practices – having a master password of 12+ characters and not having used it for other accounts – current password-cracking technology will get attackers nowhere. The encryption and decryption of data is performed only on the local LastPass client.”

LastPass CEO, Karim Toubba, has confirmed that a threat actor has stolen customer password vaults.

No company can be 100% safe from breaches; that’s a simple truth, but trust is paramount in the world of password management, and there can be little doubt that trust is being tested hard right now. For business customers using the federated login services provided by LastPass, Toubba says that the threat actor "did not have access to the key fragments stored in customer Identity Provider’s or LastPass’ infrastructure, and they were not included in the backups that were copied that contained customer vaults." The transparency in declaring breaches is always to be applauded, although questions remain as to why it has taken so long to determine and disclose that password vaults had been stolen. I also recommend, in the interests of better safe than sorry, that all users change their master password as doing so should re-encrypt the password vault after doing so. Fast forward to the end of November, and LastPass stated information obtained during that earlier compromise had enabled a threat actor to access "certain elements" of customer data within a third-party cloud storage service. I would have to agree, plus changing that master password to something much stronger.

The company advised certain users to consider changing their passwords for websites they have stored with the service.

And while it may be true strong master passwords could prove challenging to guess, even the strongest passwords could be at risk if they were used on another site that was previously breached. In those cases, LastPass advised users to go in and change the passwords of all the websites they have stored which could mean a grueling, laborious day of frantically resetting account information awaits. With that data in hand, the attackers can potentially access users’ entire collection of passwords and other data stored with LastPass if they can find a way to guess a user’s master password. At the same time though, that high concentration of sensitive information makes password manager sites some of the most mouth-watering targets for bad actors. For those users, it could take attackers “millions of years” to crack those codes using “generally-available password-cracking technology,” according to the CEO. In an update announcement two days before Christmas, LastPass CEO Karim Toubba admitted the attackers were able to successfully copy a backup of customer vault data.

Indeed, the company has since discovered that an unknown hacker group gained access to backup data that includes encrypted and unencrypted information. “The ...

The password manager also promised to perform “an exhaustive analysis of every account with signs of any suspicious activity within our cloud storage service.” If customers’ passwords vaults can only be unlocked with their master passwords, LastPass emphasized that hackers may still try to guess customer passwords by using brute force, social engineering, or phishing attacks. Indeed, the company has since discovered that an unknown hacker group gained access to backup data that includes encrypted and unencrypted information.