![]() ![]() As an extreme security measure, users of the online password manager are advised to change their master password and all the passwords stored in the vault anyway.“Lastpass’ developer system was hacked, which may or may not be a risk to users, depending upon the privilege level of the hacked system. They will never ask to know a vault's master password, either. In this case, LastPass remarked that they will never call, email, or text a user and ask them to click on a link to verify their personal information. There could be additional risks concerning phishing attacks or brute-forcing attacks against online accounts associated with users' LastPass vaults. A very determined malicious actor could try to brute-force the encrypted passwords, LastPass says, even though the attempt would be "extremely difficult" as the company routinely tests "the latest password cracking technologies against our algorithms to keep pace with and improve upon our cryptographic controls." That's not like saying that there are no risks or dangers coming from the breach, however. All things considered, LastPass is trying to send the message that, despite the extended breach of the company's platform, users' encrypted data should still be safe from any nefarious intent. And there are no indications that such data was accessed - so far, at least. However, LastPass said, the encrypted fields "remain secure" even when in cyber-criminals' hands, as they were generated with a 256-bit AES-based encryption algorithm and "can only be decrypted with a unique encryption key derived from each user's master password using our Zero Knowledge architecture." Zero Knowledge means that LastPass doesn't know the master password needed to decrypt the data, while decryption itself is performed only on the local LastPass client and never online.Īs for credit card data, LastPass partially stores it in a different cloud environment. The container includes both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data. The cyber-criminals were also able to copy a backup of customer vault data from the encrypted storage container, which is stored in a proprietary binary format. With the stolen keys, they were able to further compromise the platform's security by copying a backup that contained "basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service." The black hat hackers obtained the cloud storage access key and dual storage container decryption keys, LastPass says. Now, a follow-up security notice on that same incident is saying otherwise: the malicious actors were able to access some users' data too. Users' data and passwords remained safe and unsoiled. In the original report about the data breach incident discovered in August, LastPass said that "only" the company's source code and proprietary information were compromised. Users should change their passwords asap. The company is now saying that the damage done by the unknown hackers is much worse than was initially assessed. Facepalm: LastPass, one of the most popular password manager services out there, was breached this past August.
0 Comments
Leave a Reply. |