O LastPass has suffered two invasions since August. Now, the company’s CEO has bad news: this Thursday (22), Karim Toubba claimed that hackers managed to copy a backup with customer vaults. The good thing (if there is one) is that no one can access the encrypted information without the master password.
The episode continues the explanations offered since the first security incident of 2022.
At first, Toubba recalls that no customer data was accessed in August. At the time, hackers collected parts of the service’s source code and some technical information.🇧🇷
Later, another attack happened at the end of November: With the credentials stolen about four months ago, the criminals accessed a cloud storage on the password manager🇧🇷
This allowed the copying of basic customer account information and related metadata. These data, it should be noted, can also be used in phishing attacksfor example.
But this is where the bad news comes in:
“The attackers were also able to copy a backup of the customer vault data from the encrypted storage container, which is stored in a proprietary binary format that contains unencrypted data such as website URLs, as well as fully encrypted sensitive fields such as usernames. of sites and passwords, secure notes and data filled in forms”, warned🇧🇷
LastPass vaults are encrypted…
The executive gave more details about the collection of information.
First, Toubba reassured users that “encrypted fields remain protected with 256-bit AES encryption.” That is, to access them, you will need to use the vault password, which is not even stored by LastPass.
“Data encryption and decryption is performed only on the local LastPass client,” he explained.
He also pointed out that no credit card data was hacked – however, of all the problems, this is the least.
Later, the executive recalled that hackers can use brute force to discover the vault password. But that’s not a very simple alternative: “It would be extremely difficult to try to brute-force master password guessing for customers who follow our password best practices,” he said.
Until then, so good. However, you need to pay attention to this part: “for customers who follow our password best practices”. And that’s where we need to make an important observation: not all people pay attention to this detail.
Let’s remember that “brasil” was one of the most used passwords in Brazil in 2022, just behind “123456”. Meanwhile, “password” is the most used password in the world.
If the credential was not randomly created, there are still other risks, such as attacks via phishing or social engineering🇧🇷 Also, there are users who use the same password everywhere.
…but access is not impossible
Other factors need to be weighed. But it’s important to start with a crucial point: the statement mentions only the password as a security mechanism.
Nowadays, this is not the only barrier needed to prevent unauthorized access. And here it is worth mentioning the observation of the The Vergewhen he recalls that Toubba did not cite any resources to prevent continued attempts to unlock the vault.
In the statement, the CEO also says that the manager uses “a stronger implementation than the typical 100,100 iterations of the password-based key derivation function (PBKDF2)”. This information can be checked directly in the advanced account settings.
However, let’s go back to the specialized site: when analyzing an old account, a member of the Verge reported that your profile was set to 5,000 iterations. That is, apparently, not all people have the reinforced pattern.
Finally, the icing on the cake: the executive says that, since 2018, LastPass requires master passwords with at least twelve characters. “This greatly minimizes the ability for successful brute-force password guessing,” he explained.
But what about those who have had an account for a longer time and use a weak password? The statement itself makes it clear that this scenario would facilitate a brute force invasion.
And then we return to what we’ve already discussed here: not everyone uses individual and strengthened passwords.
Change all passwords
LastPass did not say how many users were impacted by the incident. However, my friend warns you: with or without a strong master password, change all the credentials stored in the manager.
Preferably, create strong passwords🇧🇷
The tip is even valid for two-step authentication keys. It’s also important to watch out for strange requests, such as sending fake emails or messages on behalf of LastPass.
Meanwhile, the company is strengthening the protection of its systems. And we hope this is taken care of this time around, as this wasn’t the only security incident in password manager history: in 2015, LastPass also suffered a hack attack🇧🇷
“We have already notified a small subset (less than 3%) of our enterprise customers to recommend that they take certain actions based on their specific account settings,” said Karim Toubba.
https://tecnoblog.net/noticias/2022/12/23/troque-suas-senhas-cofres-do-lastpass-foram-levados-por-hackers/