LastPass users are warned! Your passwords are now with hackers
Are you a LastPass user? If you are, you better update all your passwords and account details. Why? That's because the password managing company has now admitted that "threat actors" (a less scary way of saying "hackers") stole the company's customer password vaults in a cyberattack earlier this year. Whoever those hackers are, they now theoretically have access to valuable information.
Why does this story matter?
- Any company storing secrets in the cloud is prone to attack from cybercriminals. What matters is how a company reacts to such a situation.
- So far, it seems that LastPass' reaction to the attack in August has been suboptimal at best. Taking this long to let customers know about the theft of password vaults poses some serious questions about its ability to protect data.
LastPass first said customer data wasn't affected
When LastPass announced that it was breached in August, it said that cybercriminals gained unauthorized access to the company's developer environment, portions of source code, and some proprietary technical information. At the time, the password manager said that customers' encrypted passwords, personal information, and other data stored in the vault weren't affected. Almost four months since then, the company has changed its stance.
LastPass then said that some customer information was accessed
In November, LastPass gave us more information about the attack. The company said that hackers gained access to "certain elements" of customer information using the data they obtained during the August attack. Even then, it asserted that customers' passwords "remain safely encrypted." The company's updated blog post, however, says that the threat actors took more than what the company earlier believed.
Hackers copied backup of customer vault data
In the updated blog post, LastPass finally gave us the whole picture (hopefully). Per the company, hackers copied a backup of customer vault data using cloud storage keys obtained from a LastPass employee. The copied backup contains unencrypted data such as website URLs and encrypted data such as usernames, passwords, secure notes, and form-filled data. The company didn't mention how old these backups are.
Encrypted data can only be accessed with a master password
LastPass says that the encrypted data can't be accessed without the customers' master password, which is not known to or maintained by LastPass. However, those who stole the data can try to access it by guessing random passwords aka brute-forcing. Even a good master password and other settings won't stop someone from guessing many random passwords before getting it right.
What should users do?
According to LastPass, if customers have used its default settings, it would take "millions of years to guess the master password." However, if that's not the case, the company recommends users change the passwords of the websites stored as an added security measure. If you think you have a weak master password or if you have used it elsewhere, change your passwords now.