LastPass hacker bought buyer info and their encrypted vault information | IT World Canada News
Business and private customers of the LassPass password administration resolution are being warned to take defensive motion after the corporate acknowledged buyer info and encrypted information they’d saved within the service’s digital vault have been copied by a hacker in a provide chain assault.
“Users should beware of sophisticated phishing attacks aimed at stealing their master password,” mentioned Mike Walters, vice-president of vulnerability and risk analysis at Action1, a supplier of patch administration options. “An attacker can faux to be LastPass, regulatory authorities, and different organizations and trick customers into sharing their credentials. Remember, fashionable phishing can transcend common emails and mix completely different communication channels, equivalent to cellphone calls, SMS, messengers, and others.
“I recommend that all users change their master passwords and enforce password security best practices. It includes creating a strong master password at least 30 characters long, re-encrypting the password vault, and enabling multi-factor authentication (MFA).”
His recommendation comes after LastPass CEO Karim Toubba acknowledged that final August’s information breach was worse than he described earlier this month. A hacker accessed a third-party cloud-based storage service LastPass makes use of to retailer archived backups of its manufacturing information utilizing info gained from an August assault.
After additional investigation, the corporate realized that after the cloud storage entry key and twin storage container decryption keys have been obtained, the risk actor copied info from backups that contained fundamental buyer account info and associated metadata, together with firm names, end-user names, billing addresses, e mail addresses, phone numbers, and the IP addresses from which clients have been accessing the LastPass service.
In addition, the hacker additionally copied an encrypted backup of buyer vault information from the encrypted storage container. “These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture,” Toubba said in a blog. “As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass. The encryption and decryption of data is performed only on the local LastPass client” of a person.
“Because of the hashing and encryption methods we use to protect our customers, it would be extremely difficult to attempt to brute force guess master passwords for those customers who follow our password best practices,” he maintained.
“This incident shows that an experienced attacker can exploit a company’s security vulnerabilities and steal sensitive customer data even if he has initially gained access to a certain part of the corporate infrastructure that is not directly related to this sensitive data,” mentioned Walters.
Comments are closed.