![]() Unfortunately, right now LastPass appears to be overloaded with folks trying to reset their master passwords. (If you are reusing passwords then you need to get out of that bad habit at once, of course). However, it is advising users to immediately change their master password if it is weak or if the same password has been used on other websites. LastPass says that because the hackers do not appear to have accessed password vaults (which users store in encrypted form on the company’s servers) there should be no need to change passwords on other online sites. If you chose a weak master password, or if it isn’t very long, then it might be possible for an attacker to crack it through brute force. Instead, they have managed to get their hands on the authentication hashes (or checksums) used by LastPass to verify your master password is correct when you try to access the service. It’s important to understand that the hackers have not stolen LastPass users’ master passwords. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed. LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. We are confident that our encryption measures are sufficient to protect the vast majority of users. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised. In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. We want to notify our community that on Friday, our team discovered and blocked suspicious activity on our network. In a blog post the company went public with limited details of the security incident: That’s because LastPass claims it will be “extremely difficult to attempt to brute force guess master passwords,” but “for those customers who follow our password best practices.Hackers have attacked LastPass, the popular online password management service, and stolen data. It is recommended users change all passwords stored on the platform. Hackers will need to use brute force to guess the master password and then decrypt the copies of the stolen vault data, but there are many risks involved. While LastPass is not saying this outright, clearly users need to take action to secure their account information. What does this mean for users? How to protect your account? Still, this is an “ongoing investigation,” and users should note that more information will likely come to light around this in the coming months. Read more | LastPass password manager gets hacked for the second time this yearįor enterprise customers, the company claims it continues to use “Zero Knowledge architecture and implements a hidden master password to encrypt your vault data.” The company has notified “a small subset (less than 3%) of our Business customers to recommend that they take certain actions based on their specific account configurations.” This data also includes “unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.” Hackers also stole key user information such as “c ompany names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.” They were also able to “copy a backup of customer vault data from the encrypted storage container,” which is the most troubling bit of information. Now, in a new blog post, the company CEO Karim Toubba wrote that hackers gained access to other “credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service.” Worryingly, LastPass has not mentioned how many users are impacted. This is what was reported in November 2022, when the company admitted it had “detected unusual activity within a third-party cloud storage service.” Source code once compromised gives cybercriminals a closer look at proprietary systems and makes a platform more vulnerable to attacks. This is the company’s latest update regarding a security incident that was first reported in August 2022 where hackers had stolen the platform’s source code. ![]() That’s because LastPass has admitted that hackers stole encrypted user password vaults and other sensitive details. And once that is done, one should ideally move the new data away from the password manager. If you are a LastPass user, it is time to update all your passwords and account details.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |