The piracy suffered by the password manager in August 2022 was much larger than announced, and passwords are roaming around.
LastPass, which had a bad Christmas surprise in store for us, has just posted new information on its blog about the amount of data recovered during the hack suffered a few months ago.
User encrypted passwords have been compromised
If LastPass wished to be reassuring at the time, indicating that no critical data had been stolen, although hackers were able to access billing addresses, customer and business names, and email and phone numbers.
In the end, this was not the case, since LastPass announces today that the hackers were able to “ copy backups of client vaults containing both encrypted and unencrypted data “. Clearly, passwords and associated sites were recovered during the intrusion.
LastPass apologizes and recalls the best practices to implement to limit the risk of hacking
The situation is critical for LastPass, but the company would like to remind you that stolen data is always encrypted and a priori unreadable by hackers and anyone with access to the information: ” These encrypted fields remain secure with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture. As a reminder, the master password is never known to LastPass and is neither stored nor maintained by LastPass. »
Only the master password, defined beforehand by the user, can decipher the passwords contained in the digital safe. A hacker can still try to enter thousands of combinations to hope to find the right master password, which is called a brute force attack.
LastPass still believes that this technique will not bring convincing results. ” It would take millions of years to find your password using commonly used cracking technologies “, adds the online service.
The company still urges its users not to reuse their account’s master password on other websites and urges them to remain vigilant against phishing attempts, with scammers possibly impersonating LastPass itself. in order to collect personal information.
Source : LastPass
31