The LastPass login and password vaults have been hacked. Hackers recently breached the cloud data storage encryption service accounts, and you may need to take action.
The company disclosed that some customer information had been accessed by malicious actors, which they initially only specified as “certain elements.” But, just as US workers are heading off for a holiday break, they now reveal that it was their encrypted passwords.
LastPass recently announced a data breach: they revealed that cybercriminals could access and copy the customer vault data, meaning if they can break into the stolen vaults, they could potentially gain access to all stored passwords.
LastPass users or those who used to have accounts may have had their password vaults compromised by hackers. The company insists if you’ve got a strong master password and
Despite LastPass claiming that the account’s master password still secures passwords, we don’t know to trust their words given how they’ve described these rules-breaking incidents.
In August, the company declared it had been breached but didn’t think any user data had been taken. By November, LastPass revealed they had identified a security breach most likely caused by the prior incident (it would’ve been helpful to give us this information between August and November).
The intrusion enabled someone to “gain access to some pieces” of customers’ info. Unfortunately, these “some pieces” consisted of the primary and most confidential things that LastPass stored.
The organization attested that there is “no proof that unencrypted credit card data was accessed,” however, this would have been better than what hackers accomplished. Fortunately, it’s simple enough to cancel credit cards.
The hacker managed to make a replica of the customer vault data stored in a private binary format containing non-encrypted information like website links and entirely certain sensitive aspects such as site usernames/passwords, secure notes, and form-filled data.
According to Toubba, a malicious actor cannot access encrypted data or your passwords without the master password. LastPass emphasizes that it doesn’t have access to anyone’s master password.
Because of this, he declares that “it would be remarkably tough to attempt to guess master passwords correctly” as long as you had a grand master password.
Despite LastPass claiming that their default settings will defend against such an attack, nothing about it prevents someone from continuously trying to access the vault over a long period. Furthermore, it’s also possible for one’s master password to be discovered in another way if it was re-used for different logins and exposed during other data breaches.
However, the more concerning factor is the unencrypted data — since it consists of URLs, it could give cybercriminals an idea of which websites they have accounts with. Should they decide to target particular users, combining this with phishing or other attack tactics would be vital information for them.
Though none of these are ideal events, all of this can occur to any company that stores sensitive information on the cloud. The game in cybersecurity isn’t always about having an impeccable record but how adeptly an organization responds when mishaps occur.
It’s worth noting that this announcement is being made on December 22nd, three days before Christmas, when IT teams are primarily out of the office and people are not likely keeping track of their password managers’ updates.
It’s not until five paragraphs that they mention the vaults being copied, and while some of it is bolded, one would expect something this monumental to be the first thing stated.
Action Needed: What You Should Do With Your LastPass Login Password Vault
LastPass claims that in the August incident, no vault backups had been breached yet, but rather the hacker grabbed data from a breached site to target an employee with. But this could entail changing the passwords of every website you gave LastPass permission to save.
If you think your LastPass login password vault could be compromised — such as if your master password is weak or you’ve used it elsewhere — you should begin changing the passwords stored in your LastPass vault. Start with the most critical accounts, such as your email, cell phone plan, bank, and social media accounts, and work your way down the priority list.
Fortunately, accounts secured with two-factor authentication make it far more difficult for attackers to access without the second factor, like an authorization code delivered via mobile phone or email.
That’s why ensuring these two-factor accounts are secure, like your email and cell phone plan accounts, is critical. If you need more information, we covered this news previously in this post, and the release regarding the LastPass login breach can be found here.