LastPass, a global password manager, was the target of a data breach that saw encrypted password vaults stolen by cybercriminals. LastPass CEO Karim Toubba said the intruders took a copy of the backup of customer vault data by using cloud storage keys.
LastPass Said Hackers were Able to Access the Company Through Gaining an Employee's Cloud Storage Keys
According to the story by Yahoo News, hackers were able to gain the cloud storage keys from a LastPass employee. The company also warned that cybercriminals could try to brute-force entry to users' accounts.
Per a LastPass blog post, they noted that although no customer data was accessed during the incident of August 2022, the company suffered their source code and technical information stolen to target the employee.
The Company Assures that They have Found No Evidence that Unencrypted Credit Card Data was Accessed
In response to the incident, the company announced that it had eradicated any potential future access to its development environment. They did this by decommissioning the environment and building a new one from scratch.
The company maintains that the encryption fields still remain secure and that they do not know the master password of users due to their Zero-Knowledge architecture. LastPass also says that they have found no evidence of access to unencrypted credit card data.
Customers' Password Vaults Remain Encrypted and Can't be Accessed without a User's Master Password
Unencrypted data included vault-stored web addresses. However, this proprietary format's specific technical and security details have not been communicated. Criminals also stole personal data such as names, emails, phone numbers, and billing information.
Fortunately, LastPass customers' password vaults are encrypted and can only be unlocked with the customers' master password, known only by the customer. Even so, LastPass warns that the cybercriminals behind the intrusion "may attempt to use brute force to guess users' master password and decrypt the copies of vault data they took."
Two-Factor Authentication is Recommended to Users for Added Security to Their Accounts
To successfully protect customers' accounts, LastPass suggests changing the master password to a long, complex, and unique one that is written down and kept in a safe place. Additionally, customers with weak passwords or passwords reused on other sites should also begin to change passwords stored in their LastPass vault, starting with the most critical accounts.
Enabling two-factor authentication to protect accounts is also an important step to take. With two-factor authentication, an attacker needs something other than the master password, such as an emailed code or phone pop-up, to access an account. Customers must secure their email and cell phone accounts with two-factor authentication first.
Another type of cyberattack the company warns about is potential phishing attacks, where cybercriminals try to bate users through social engineering. LastPass reminds its users that they do not directly ask for their users' personal information through calls, email, or text.
Related Article: Corsair Keyboard K100 Bug Types Words Users Previously Used: Is There Malware?