Hackers stole encrypted LastPass password vaults, and we’re just now hearing about it
LastPass has a doozy of an updated announcement about a recent data breach: the company — which promises to keep all your passwords in one, secure place — is now saying that hackers were able to “copy a backup of customer vault data,” meaning they theoretically now have access to all those passwords if they can crack the stolen vaults (via TechCrunch).
Last month, the company announced that Attackers had accessed “certain elements” of customer info. Just as many US workers are leaving for a holiday break, the company reveals that meant their encrypted passwords.
If you have an account you use to store passwords and login information on LastPass, or you used to have one and hadn’t deleted it before this fall, your password vault may be in hackers’ hands. Still, the company claims you might be safe if you have a strong master password and its most recent default settings. However, if you have a weak master password or less security, the company says that “as an extra security measure, you should consider minimizing risk by changing passwords of websites you have stored.”
That might mean changing the passwords for every website you trusted LastPass to store.
While LastPass insists passwords are still secured by the account’s master password, it’s hard to just take its word at this point, given how it’s handled these disclosures.
While none of that is great news, it’s all something that could, in theory, happen to any company storing secrets in the cloud. In cybersecurity, the name of the game isn’t having a 100 percent perfect track record; it’s how you react to disasters when they happen.
And this is where LastPass has, in my opinion, absolutely failed.
Remember, it’s making this announcement today, on December 22nd — three days before Christmas, a time when many IT departments will largely be on vacation, and when people aren’t likely to be paying attention to updates from their password manager.
LastPass says that the vault backup wasn’t initially compromised in August; instead, its story is that the threat actor used info from that breach to target an employee who had access to a third-party cloud storage service. The vaults were stored in and copied from one of the volumes accessed in that cloud storage, along with backups containing “basic customer account information and related metadata.” That includes things like “company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service,” according to LastPass.
What's Your Reaction?
