Share this article on:
The phrase “from bad to worse” could well have been invented to describe LastPass’ ongoing security issues. The popular password manager, whose whole mission statement is to keep user passwords safe and secure, first reported a security breach back in August 2022, but ongoing hacking attempts seem to have finally gotten through the company’s security.
Late December last year — an easy time of year to miss important information like this — LastPass finally released an update on the severity of the problem.
Hackers have actually gotten into the company’s security vaults and retrieved a lot of user data.
The data compromised includes end-user names, company names, addresses, email addresses, telephone numbers, and user IP addresses. LastPass is adamant that no credit card data was compromised, nor any master passwords.
However, the hackers were able to copy a backup of customer vault data that includes the unencrypted URL records of users, as well as copies of encrypted data such as website usernames and passwords.
So, essentially, whoever got into the data now knows where users have been, and who those users are.
LastPass is used by over 33 million people and 100,000 businesses, according to the company’s own numbers.
Back in August, hackers seem to have tricked a LastPass developer into installing malware that the criminals then used to access the company’s source code repository.
According to LastPass’ post-attack assessment, the company found that the attacker “gained access to the development environment using a developer's compromised endpoint”.
Then, in the last days of November, LastPass was made aware of more activity based on the August hack.
“We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo,” said LastPass chief executive officer Karim Toubba at the time.
“We have determined that an unauthorised party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information.”
LastPass still maintains that important customer data remains secure, but with a few caveats.
“Your sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass’ Zero Knowledge architecture. There are no recommended actions that you need to take at this time,” said Toubba in the December 22 announcement.
“However, it is important to note that if your master password does not make use of the defaults above, then it would significantly reduce the number of attempts needed to guess it correctly. In this case, as an extra security measure, you should consider minimising risk by changing passwords of websites you have stored.”
Changing the master password is probably the very least compromised users should do. With the data already breached, hackers could easily stage phishing attacks, or even blackmail users who may have accessed pornographic material online.
LastPass continues to monitor the incident and has notified “law enforcement and relevant regulatory authorities”.
Comments powered by CComment