There are news we could do without, especially at Christmas. In a blog post posted on December 22, 2022, password manager LastPass provided more information about the recent hack the company suffered. And as much to say it right away, the news is not good at all.
Hacked customer data
While last August, when the intrusion was detected, LastPass explained that it had no proof that customer data had been entered, the recent announcement says exactly the opposite. Karim Toubba, CEO of LastPass, indeed specifies that the malicious hacker was able to “copy backups of client vaults containing both encrypted and unencrypted data“. Since the LastPass Vault is precisely the place where all passwords and other login information are stored, the situation is quite critical.
As LastPass explains in an attempt to reassure its customers, passwords”remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password.“While this statement is undeniable, it is not entirely reassuring. By having access to safes, the hacker can carry out brute force attacks (attempting millions of combinations one after the other) to attempt to guess the master password, and potentially subsequently gain access to all passwords and other data stored in client safes.
To put it more simply, if your master password is weak or easily guessable by a machine, your data is potentially at risk. Worse still, LastPass specifies that site URLs saved in the vault are not encrypted. Web addresses do not represent a serious danger in themselves, but they provide information on the sites on which users are registered, which can facilitate possible hacks if this data is crossed with other information from different leaks.
To make matters worse, the person(s) responsible for the attack also had access to “user IDs, billing information, email addresses, phone numbers, and IP addresses from which customers accessed the LastPass Service.“Only the credit cards were not stolen, LastPass does not keep the numbers of the latter. The timing of the announcement, a few days before Christmas, does not play in favor of the company, because potential customers could pass next to this information due to end of year celebrations.
To try to protect yourself, the best thing to do if you use LastPass is to change your master password, and ideally the passwords saved in your vault as well. If you have hundreds of them, it is worth starting with the most vulnerable accounts (mail, bank, work account, etc.). Then you can take a look at our password manager comparison if you want to ditch LastPass.