What Has Happened?
Just before the 2022 holidays, LastPass announced customer data was significantly compromised after an unknown threat actor copied a cloud-based backup of customer vault data. This breach occurred over many months and it’s believed to have commenced in August 2022.
Information Stolen
The information stolen included encrypted passwords, usernames, and form-filled data. “These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password”. The customer vault data also contained unencrypted data, such as the website URLs customers access via the password manager, company names, billing addresses, email addresses, phone numbers and the IP addresses customers use to access LastPass.
While customers’ vaults have been stolen, malicious actors will not be able to access customers’ saved passwords without the master password which only the customer should know.
How Does This Affect You?
If your LastPass vault was stolen, the threat actor may attempt to use brute force to guess your master password and decrypt the copies of the vault data they took. Because of the hashing and encryption methods LastPass uses to protect its customers, it would be extremely difficult to brute-force master passwords for those customers who follow the LastPass password best practices.
The threat actor may also target customers with phishing attacks, credential stuffing, or other brute-force attacks against online accounts associated with their LastPass vault. To protect yourself against social engineering or phishing attacks, it is important to know that LastPass will never call, email, or text you and ask you to click on a link to verify your personal information. Other than when signing into your vault from a LastPass client, LastPass will never ask you for your master password.
What You Should Do
As a reminder, LastPass’ default master password settings and best practices include the following:
- Use a minimum of 12 characters, but the lengthier the better.
- Use upper case, lower case, numeric, and special character values.
- Make it pronounceable and memorable, but not easily guessed (e.g., a passphrase).
- Make sure that it is unique only to you.
- Never use personal information.
- Do not reuse your master password on other websites. If you reuse your master password and that password was ever compromised, a threat actor may use dumps of compromised credentials that are already available on the Internet to attempt to access your account (this is referred to as a “credential stuffing” attack).
If you use the default settings above, it will be extremely difficult for a malicious actor to crack your master password. Your sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass’ Zero Knowledge architecture. However, if you prefer to be safe than sorry, it’s highly recommended you change your passwords for websites and accounts you have stored even if you have a strong master password.
It is important to note that if your master password does not make use of the defaults above, then it would significantly reduce the number of attempts needed to guess it correctly. In this case, as an extra security measure, you should minimise risk by changing the passwords of the websites you have stored. This remains an ongoing investigation and any further findings will be made available on LastPass’s security incident blog.
If you have any questions or concerns regarding the incident, please feel free to contact our IT Support team on +61 (2) 67735000, servicedesk@une.edu.au.
Sources:
Recent Comments