One of the most well-known password organisers in the world, LastPass, experienced a significant data breach in December, putting the online passwords and personal information of its users at risk. Time is running out if you still haven't changed your passwords.
On December 22, LastPass CEO Karim Toubba admitted in a blog post that a security breach the business first disclosed in August ultimately resulted in the theft of crucial vault data and customer account information by a "unauthorised entity." The issue is the most recent in a protracted and alarming line of security occurrences affecting LastPass that stretch back to 2011.
According to Toubba, the unauthorised entity was able to acquire unencrypted customer account data including LastPass usernames, business names, billing addresses, email addresses, phone numbers, and IP addresses. The same unauthorised entity also had access to client vault data, which contains both encrypted and unencrypted information including usernames and passwords for all the websites that consumers have saved in their vaults.
If you use LastPass, you should consider switching to another password manager given how seriously your passwords and personal information are at risk from this attack.
How did it get to this point?
In an article written by Toubba and posted on the LastPass blog in August 2022, the company claimed that it had "determined that an unauthorised party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information."
When the threat first surfaced, LastPass "engaged a leading cybersecurity and forensics firm," according to Toubba. This was followed by the implementation of "enhanced security measures." But as the breach's extent progressively increased, that blog article would be modified multiple times over the ensuing months.
Toubba informed readers that the incident's investigation was over in a blog post update on September 15.
"Our investigation revealed that the threat actor's activity was limited to a four-day period in August 2022. During this timeframe, the LastPass security team detected the threat actor's activity and then contained the incident," Toubba stated. "There is no evidence of any threat actor activity beyond the established timeline. We can also confirm that there is no evidence that this incident involved any access to customer data or encrypted password vaults."
Customers were reassured by Toubba at the time that LastPass would take good care of their passwords and personal information.
It turned out, however, that the unauthorised person was in fact able to access customer data in the end.
The company "found that an unauthorised entity, using information gained in the August 2022 event, was able to get access to certain components of our customers' information," according to a Nov. 30 update to the blog post by Toubba.
On December 22, Toubba published a lengthy update to the blog post detailing the worrying specifics of what client data the hackers had really been able to access during the attack. The public only learned the full extent of the problem at that point, when it was revealed that LastPass users' personal information was in the hands of a threat actor and that all of their passwords stood a major risk of being leaked.
However, Toubba reassured users who adhere to LastPass's recommended password practises and have the most recent default settings enabled that they don't need to take any further action at this time because their "sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass' Zero Knowledge architecture."
Toubba cautioned, though, that individuals who don't enable LastPass's default settings and don't adhere to the password manager's best practices run the danger of having their master passwords compromised. Toubba advised those people to think about switching the passwords for the websites they had saved.
How should LastPass users act?
The firm did not disclose the number of users who were impacted by the hack, and LastPass did not reply to CNET's request for any information on the incident. But if you're a LastPass user, you should act as though your user and vault data are in the possession of an uninvited person with bad intentions. Although the most sensitive information is encrypted, there is still an issue because the threat actor can use "brute force" attacks on the local files they have stolen. If you've complied with LastPass's recommended procedures, it would reportedly take "millions of years" to figure out your master password.
If you haven't changed your individual passwords, or if you simply want complete peace of mind, you'll need to put in a lot of time and work. Additionally, you should probably stop using LastPass while you're doing that.
Keeping that in mind, the following is what you must do immediately if you are a LastPass subscriber:
Look for a fresh password manager: Given LastPass' history of security issues and the seriousness of this most recent leak, it's more important than ever to look for an alternative.
Immediately change your most vital site-level passwords: Passwords for anything, such as online banking, financial information, internal company logins, and medical data, are included in this. Make sure the passwords you choose are both secure and original.
Turn on two-factor authentication whenever you can: After changing your passwords, make sure that any online account that supports 2FA has that feature enabled. By warning you and requesting your authorization for each login attempt, this will give you an extra degree of security. As a result, even if someone manages to discover your new password, they shouldn't be able to visit a particular website without your secondary authenticating device (typically your phone).