This gave the attacker a head start on any attempts to decrypt vaults, as users had been advised that no further action was required up until this point. This wouldn't help anyone with a weak master password in terms of the stolen vaults, of course, so those customers were advised to change all their passwords as soon as possible.Īt this point, I stated that if I were a LastPass user, I'd be looking for alternatives given the drip feed of breach information, especially since it took so long to determine that customer vaults had been stolen. At this point, I recommended that users change their master password, which would also re-encrypt their password vault, based on better safe than sorry. With local access to the encrypted databases, this becomes a lot easier to pull off but is still dependent on the user either having a weakly constructed master password or one reused across services, including one that has been compromised. Unless, of course, they used brute-force methods to try known passwords from other breaches.
This meant the attacker now had customer password vaults but not the means to open them. If you are a LastPass customer, we recommend using a r andom and strong password that has never been used previously on other websites.LastPass attacker stole customer password vaults We therefore advise to reset passwords of everyone with an account to access the backoffice. Indeed, you can not be sure that people who had access to your backoffice in the past did not save their password using Lastpass. In 2022, the password manager LastPass indicated being victim of a security breach multiple times, and unfortunately hackers obtained user information.Īfter being the subject of multiple critical security issues, the company published a blog article on December 22nd, 2022 whereby they indicated that user account data such as invoice adresses, email, end user names, phone number as well as IP addresses had been taken.Īre you not using LastPass? You are still concerned!
0 kommentar(er)
