Source: LastPass
Many users who are aware of the dangers of recycling passwords or choosing an easy password choose a password manager to give them an additional layer of security. But what happens when what is supposed to be users’ last line of defense is hacked? Well, it’s much less nice.
The bingo of the phishing attack
LastPass, one of the most well-known and popular password managers, went through a cyber attack earlier this year. However, in the initial report on the case, the company did not specify the extent of the damages. At the end of the week, an updated announcement was published about the extent of the damage, and the situation is serious. According to an updated post on the LastPass website signed by CEO Karim Tova, the attackers who reached the company’s computers were able to create a copy of the data from the vaults – AKA the place where all the sensitive information is kept – of its customers. According to Tova’s post, the hack happened by using the storage access keys In the cloud of one of the LastPass employees.
The post states that the customers’ information was stored in the cloud in a proprietary format that LastPass developed – which includes both encrypted and unencrypted information. The unencrypted information in the safes are addresses to the websites kept in the safes, meaning the attackers can know exactly which accounts are kept in your safe. However, the passwords themselves are encrypted with AES 256-bit. Access to these passwords can only be obtained with the users’ master password, and Blastpass does not rule out the possibility that the attackers will simply try to crack it with brute force. Since the attackers were able to duplicate a copy of the vault for themselves, they will be able to do so without limits on the number of times, as is done for vaults connected to the service.
But it doesn’t stop there. The CEO admitted that the attackers also managed to load their metaphorical truck with a good amount of more general information about users such as names, email addresses, phone numbers and addresses that they specified as “address to pay” – which is often people’s home address. With this, the hackers completed the bingo for future phishing attacks, and will be able to use all of this information to try to extract from users their master password or payment information.
If you’re a LastPass user, the best recommendation is to update your master password to a stronger one and make sure it’s not one you’ve recovered from other accounts. At the same time, if you haven’t activated two-step verification, now is the time. So even if by chance your master password is hacked – either by brute force or by clicking on a text message telling you that the shipment from Amazon is stuck in customs – there will be another step on the way that will stop the attackers from getting to all your passwords.