newsweekshowcase.com

We just heard of the fact that LastPass password vaults have been stolen.

The Verge: https://www.theverge.com/2022/12/22/23523322/lastpass-data-breach-cloud-encrypted-password-vault-hackers

The LastPass Attack on LastPass: It Wasn’t Just an Announcement Rather Than A Hybrid, But It Was Happened To A Company That Stole Passwords

While LastPass insists passwords are still secured by the account’s master password, it’s hard to just take its word at this point, given how it’s handled these disclosures.

The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.

It is worth noting that if you have an older account, the password strengthening process might be used to protect your master password. According to LastPass, it currently uses “a stronger-than-typical implementation of 100,100 iterations of the Password-Based Key Derivation Function,” but when a Verge staff member checked their older account using a link the company includes in its blog, it told them their account was set to 5,000 iterations.

Perhaps the more concerning bit is the unencrypted data — given that it includes URLs, it could give hackers an idea of which websites you have accounts with. If they decided to target particular users, that could be powerful information when combined with phishing or other types of attacks.

All of that is not good news, as it could possibly happen to any company storing secrets in the cloud. In cybersecurity, the name of the game isn’t having a 100 percent perfect track record; it’s how you react to disasters when they happen.

Remember, it’s making this announcement today, on December 22nd — three days before Christmas, a time when many IT departments will largely be on vacation, and when people aren’t likely to be paying attention to updates from their password manager.

The announcement does not tell the whole story about the vaults being copied until five paragraphs in. I think it is fair to expect a big announcement at the very top, even though some information has been bolded.

The LastPass password security incident: Where are we coming from? What can we do to improve the security of LastPass? An update on Johnson & LastPass

The company has taken many precautions, such as adding more logging to detect any suspicious activity in the future and rebuilding its environment, because of the initial breach and the secondary one.

You’ve heard it again and again: You need to use a password manager to generate strong, unique passwords and keep track of them for you. If you ever wanted to take the plunge with a free and mainstream option, it was probably LastPass. The security service has 28.6 million users and last week made a worrying announcement about a security incident that exposed password vaults along with other user data.

Evan Johnson, who worked at LastPass for more than seven years, says that they are doing a crummy job detecting incidents and preventing issues. I’d either be looking for new options or looking for a new focus on trust from their management team.

admin