LastPass’ “Christmas gift” reveals customer vault data hacked
In our previous article we have covered that LastPass, a popular password manager service, experienced a data breach in August of this year. Initially, the company stated that no customer data or encrypted password vaults had been accessed.
However, in their latest update on the situation, released on December 22nd, LastPass revealed that the hacker had indeed gained access to “backup customer vault data”. This data includes both unencrypted information such as website URLs and fully-encrypted, sensitive information such as website usernames and passwords, secure notes, and form-filled data.
The fact that password manager services are a valuable target for hackers is well known. If a hacker can gain access to one of these services, they have essentially been given a key to their target’s entire online life.
This is exactly what happened at LastPass, with hackers obtaining encrypted copies of password vaults. The only remaining line of defence for users is their master password, which LastPass claims not to store on its own servers. What we know, is that, with the vaults now in the hands of hackers, it is possible that they use brute force methods to guess the correct master password and de-crypt all the rest of the sensitive information of a user.
LastPass’s announcement of the obtained vaults came at a particularly inconvenient time, just a few days before Christmas. Many IT departments, responsible for company password security, may have already been on vacation, and private users may have had other priorities during the holiday season.
Additionally, LastPass’s initial blog post on the subject did not immediately address the fact that vaults had been obtained, instead spending several paragraphs discussing the history of the attack.
So, what should LastPass users do in response to this breach?
According to the company, there are “no recommended actions that you need to take at this time” for those using the default settings. However, those who do not use the default settings should consider changing the passwords stored in their vaults.
The Kaduu team also advises users to be cautious of phishing attacks, where someone posing as LastPass may attempt to obtain password information through email or other forms of communication. LastPass has assured users that they will never contact them seeking password information.
It is crucial for all internet users, not just LastPass customers, to be aware of data breaches and take necessary precautions to protect their personal information. This includes regularly updating passwords and being cautious of phishing attempts. While it may be inconvenient, the consequences of a data breach can be severe, and it is always better to err on the side of caution.
Stay up to date with exposed information online. Kaduu with its cyber threat intelligence service offers an affordable insight into the darknet, social media and deep web.