Passwords in it are still encrypted, but access could be brute-forced.
[great password managers](https://www.androidpolice.com/best-password-managers/) out there, and a lot of them are even more affordable than LastPass. Even if you're confident that your master password is hard to guess, you should also go through all of your accounts and change passwords just to be safe. [followed LastPass's best practices](https://support.lastpass.com/help/what-is-the-lastpass-master-password-lp070014) for password creation, the company says you should be safe. However, with the vaults now in the hands of hackers, it’s possible they could use brute force to guess the right password. However, the hackers then used this data to compromise the account of a LastPass employee, and they were subsequently able to obtain backup copies of user vaults. Back then, LastPass said that user data was unaffected and that the hackers only gained access to source code and a testing environment.
The stolen data includes usernames and passwords, but LastPass said this sensitive information is encrypted and cannot be easily accessed.
The company said it has also added new security measures to help detect any unauthorised activity in future. This data can only be unlocked with a customer’s master password. The company said the threat actor may attempt to use “brute force” to try guess the master password and decrypt this sensitive data.
A malicious actor copied personal information from LastPass' third-party cloud storage provider.
It also noted that while the company uses hashing and encryption methods to protect customer data, the malicious actors may use “brute force” in an attempt to guess customers’ master passwords and decrypt the copies of the vault data they stole. It recommended that those who do not follow these best practices change passwords for the websites they currently have stored in their LastPass account. [steal source code and technical information](https://www.cshub.com/attacks/news/lastpasss-source-code-stolen-in-data-breach) from LastPass’ development environment that was then used to target an employee.
Following breach, LastPass attackers have made off with unencrypted customer data and copies of backups of customer vault data.
I don’t doubt many users will be disappointed with LastPass and will be looking for an alternative password manager to store their passwords – perhaps even one that’s not cloud-based (though that comes with drawbacks, such as no password syncing capabilities, which makes life more difficult). Evaluate the content of your secure notes and data that LastPass automatically inserts in online forms, and change what can be changed. They know the users’ name, email address and phone number, and the online services they use, so users should be on the lookout for a variety of phishing attempts in the coming days and months. And if you were using a weak (or worse, previously leaked) master password when they were stolen, you’re screwed,” LastPass says that, if users followed best security practices – having a master password of 12+ characters and not having used it for other accounts – current password-cracking technology will get attackers nowhere. The encryption and decryption of data is performed only on the local LastPass client.”
LastPass CEO, Karim Toubba, has confirmed that a threat actor has stolen customer password vaults.
No company can be 100% safe from breaches; that’s a simple truth, but trust is paramount in the world of password management, and there can be little doubt that trust is being tested hard right now. For business customers using the federated login services provided by LastPass, Toubba says that the threat actor "did not have access to the key fragments stored in customer Identity Provider’s or LastPass’ infrastructure, and they were not included in the backups that were copied that contained customer vaults." The transparency in declaring breaches is always to be applauded, although questions remain as to why it has taken so long to determine and disclose that password vaults had been stolen. I also recommend, in the interests of better safe than sorry, that all users change their master password as doing so should re-encrypt the password vault after doing so. Fast forward to the end of November, and LastPass stated information obtained during that earlier compromise had enabled a threat actor to access "certain elements" of customer data within a third-party cloud storage service. I would have to agree, plus changing that master password to something much stronger.
The company advised certain users to consider changing their passwords for websites they have stored with the service.
And while it may be true strong master passwords could prove challenging to guess, even the strongest passwords could be at risk if they were used on another site that was previously breached. In those cases, LastPass advised users to go in and change the passwords of all the websites they have stored which could mean a grueling, laborious day of frantically resetting account information awaits. With that data in hand, the attackers can potentially access users’ entire collection of passwords and other data stored with LastPass if they can find a way to guess a user’s master password. At the same time though, that high concentration of sensitive information makes password manager sites some of the most mouth-watering targets for bad actors. For those users, it could take attackers “millions of years” to crack those codes using “generally-available password-cracking technology,” according to the CEO. In an update announcement two days before Christmas, LastPass CEO Karim Toubba admitted the attackers were able to successfully copy a backup of customer vault data.
Indeed, the company has since discovered that an unknown hacker group gained access to backup data that includes encrypted and unencrypted information. “The ...
The password manager also promised to perform “an exhaustive analysis of every account with signs of any suspicious activity within our cloud storage service.” If customers’ passwords vaults can only be unlocked with their master passwords, LastPass emphasized that hackers may still try to guess customer passwords by using brute force, social engineering, or phishing attacks. Indeed, the company has since discovered that an unknown hacker group gained access to backup data that includes encrypted and unencrypted information.
[T]he threat actor gained access to the Development environment using a developer's compromised endpoint. While the method used for the initial endpoint ...
[said this](https://nakedsecurity.sophos.com/2022/08/29/lastpass-source-code-breach-do-we-still-recommend-password-managers/): “If you want to change some or all of your passwords, we’re not going to talk you out of it. But] we don’t think you need to change your passwords. - Only requiring 2FA authentication for initial login, then allowing some sort of “single sign-on” system to authenticate you automatically for a wide range of internal services. [T]he threat actor gained access to the Development environment using a developer’s compromised endpoint. Note that you need to change the passwords that are stored inside your vault, as well as the master password for the vault itself. - Issuing “bearer access tokens” for automated software tools, based on occasional 2FA authentication by developers, testers and engineering staff. The good news, LastPass continues to insist, is that the security of your backed-up passwords in your vault file should be no different from the security of any other cloud backup that you encrypted on your own computer before you uploaded it. The attack that led to an attack - Doing full 2FA authentication only occasionally, such as requesting new one-time codes only every few days or weeks. The crooks therefore now not only know where you and your computer live, thanks to the leaked billing and IP address data mentioned above, but also have a detailed map of where you go when you’re online: If you have an automated build-and-test script that needs to access various servers and databases at various points in the process, you don’t want the script continually interrupted to wait for you to type in yet another 2FA code. Of course, “we have seen no evidence” isn’t a very strong statement (not least because instransigent companies can make it come true by deliberately failing to look for evidence in the first place, or by letting someone else collect the evidence and then purposefully refusing to look at it), even though it’s often all that any company can truthfully say in the immediate aftermath of a breach.
Password manager LastPass announced on Thursday that hackers had accessed and copied a backup of data including customers' passwords in an encrypted format.
“We are committed to keeping you informed of our findings, and to updating you on the actions we are taking and any actions that you may need to perform. In the meantime, our services are running normally, and we continue to operate in a state of heightened alert. Toubba wrote: “The master password is never known to LastPass and is not stored or maintained by LastPass. As this explainer from the 3blue1brown YouTube channel shows, it would take hackers with today’s technology an impossibly long time to brute force a key of that size. However those with weaker passwords, including business customers who do not use LastPass’ federated login services, were told they “should consider minimizing risk by changing passwords of websites you have stored.” “If you reuse your master password and that password was ever compromised, a threat actor may use dumps of compromised credentials that are already available on the Internet to attempt to access your account,” LastPass CEO Karim Toubba