LastPass is suffering a hacker breach and has reportedly lost a copy of the data containing the encrypted passwords of the customers.
LastPass reported that the hacker copied a backup of customer vault data from an encrypted storage container during the intrusion and that led to have the access to the password data.
The system breach was confirmed by LastPass three weeks earlier but further information was not revealed regarding the incident. Which user data was lost during the breach was not clear until LastPass confirmed it was the password data.
As per the reports, the contents of the stolen vault data were fully encrypted sensitive fields such as website usernames and passwords, secure notes, form-filled data, and also the encrypted website URLs.
The company is reassuring the users that even though a copy of the data file has been stolen there is no need for alarm as the stolen data vault will remain protected as it has been secured with 256-bit AES encryption.
Although the hacker now has access to the usernames, nothing could be done without having access to the password. Only the master of the vault, that is the customers, have the passwords and that information is not in the hands of the hacker.
Without this password, there is no way that can lead to data decryption. The company said that as a reminder, the master password is never known to LastPass and is not stored or maintained by the company. LastPass has not been recording the passwords or auto-saving them.
The issue now persisting is that the hacker can employ a variety of measures to obtain the master vault password of a customer. This could be made possible by utilizing brute-force attacks and attempting to guess the password.
Although it would never be an easy job to think of each customer’s password. This is where the necessity of creating a complex and unique password comes to the rescue.
Having a minimum of 12 characters was a safety measure employed by LastPass in all its master vaults. It is expected that no one has provided their exact name or username with simple digital figures as their passwords.
Another concern is whether the hacker would employ phishing methods to steal the passwords of the customers.
This would require sending fraudulent text messages or emails to the customers pretending to be the company, which could trick the users into sharing and revealing their login credentials.
Therefore the users have been advised not to respond to any suspicious text messages or emails and to contact the company or authorities immediately upon receiving any such.
LastPass issued a statement that said it was important to know that LastPass would never call, email, or text you and ask you to click on a link to verify your personal information.
It further read that other than when signing into your vault from a LastPass client, LastPass would never ask you for your master password.
It is being said that the hacker has also in possession the data of the basic customer account information that includes email addresses, telephone and mobile phone numbers, IP addresses, and billing addresses that would make it easy for the hacker to individually target the customers.
This might also be more useful while attempting to figure out the passwords by guessing.
The company also revealed that the hacker had stolen the source code and technical data back in August. Having this data made it easy for the hacker to hack a LastPass employee and lift their credentials and security keys to access files from the company’s cloud-based storage service.
The cloud storage operations are not linked to the production IT systems of the company. It still has company data backups.
LastPass is making moves to reset all corporate login credentials and has stated that the company was also performing an exhaustive analysis of every account with signs of any suspicious activity within their cloud storage service, and adding additional safeguards within that environment.
LastPass is a password management computer security company that was launched in 2008 by Joe Siegrist and was later acquired by LogMeIn. Karim Toubba is the current Chief Executive Officer (CEO) of the company.
Data breaches are becoming a common incident in the U.S. which is a rising concern. Every company and organization has a threat of a cyber-attack or data breach. Along with the safety measures increasing, hackers are discovering new ways and loopholes to get inside data systems.
Other companies that faced data breaches over the years include the giants’ Facebook, Yahoo! and Microsoft, First American Financial Corp., JPMorgan Chase, LinkedIn, MySpace, Marriott International, eBay, Home Depot, FriendFinder Networks, Equifax, Cash App, Dubsmash, Heartland Payment Systems, Zynga, Adobe, LAUSD (Los Angeles Unified School District), Capital One, Target, Plex, River City Media, Exactis, and Deep Root Analytics.
Facebook has always been a company that has faced major and minor data breaches and leaks. In 2021 April, Facebook faced a significant data breach in which 530 million users got exposed. It leaked information such as names, account names, passwords, and contact numbers of the users.