![]() That was likely a decision made by PR (and possibly Legal), but the company could have served users better. LastPass also downplayed the concern over phishing attacks. If your organization steps up its security policies, bite the bullet and ensure that no accounts or users are grandfathered in with old, insecure options.īy not recommending any actions, LastPass missed an opportunity to encourage users to increase their security through multifactor authentication. However, allowing users to continue using insecure master passwords that were too short and not forcing higher PBKDF2 iteration counts was a major mistake. LastPass was correct to increase the default level of security for new accounts as hardware cracking capabilities became faster. Similarly, the PBKDF2 setting now uses 100,100 iterations, but it previously used 5000, and some long-time users report it being set to 500. Unfortunately, LastPass increased the master password minimum length only in 2018 and did not require users with shorter master passwords to reset them at that time. ![]() There are no recommended actions that you need to take at this time. Your sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass’ Zero Knowledge architecture. If you use the default settings above, it would take millions of years to guess your master password using generally-available password-cracking technology. Plus, LastPass applies 100,100 iterations of the PBKDF2 password-strengthening algorithm to make it harder for brute-force attacks to crack passwords. Potential Problemsīy default, LastPass requires master passwords to be at least 12 characters in length. You may not be able to prevent attackers from accessing your network, but if all the data they can steal is encrypted, that limits the overall damage that can ensue. If your company handles customer data along these lines, ensure that it’s always stored in encrypted form. The larger lesson is that a high-value attack target like LastPass should never have stored customer data in unencrypted form. It’s even possible that the unencrypted website URLs could lead to extortion attempts, as in the infamous Ashley Madison data breach. A forged password reset request from an unusual website you regularly use has a better chance of fooling you than a generic one for a big site that millions of people use. However, for inexplicable reasons, LastPass failed to encrypt website URLs associated with password entries.īecause LastPass left this information unencrypted, it’s now available for the attacker to use (or sell for others to use) in targeted phishing attacks. In the customer vaults, LastPass did secure usernames, passwords, secure notes, and form-filled data using 256-bit AES encryption, so they can be decrypted only with a unique encryption key derived from each user’s master password. LastPass says that the stolen data included unencrypted customer account information such as names, addresses, and phone numbers, but not credit card details. Any organization can learn from that error-if backups contain sensitive data, they should be equally protected. ![]() It also seems that LastPass may have been paying more attention to its on-premises production systems than its cloud-based backup storage. The main lesson here is that a dedicated attacker will probe all points of access into a company’s digital infrastructure- everyone must be mindful of security at all times. ![]() The attacker then leveraged information and credentials from that initial breach to target another LastPass employee’s account, where they were able to steal data from cloud-based storage that LastPass used for backup. The BreachĪccording to LastPass, the breach started in August 2022 when an attacker compromised a developer’s account. For those who don’t use LastPass, we also discuss ways your organization can improve its online security by learning from LastPass’s mistakes and misfortunes. On the positive side, the data of users who abided by LastPass’s defaults and created master passwords of at least 12 characters in length will likely resist cracking attempts.Īlthough 1Password is the most popular password manager for Apple users, we’ve mentioned LastPass as an alternative in previous articles, so here’s what happened and how LastPass users should react. Password management company LastPass has announced that it suffered a security breach in which attackers stole both encrypted customer account data (which is bad) and customer vaults containing encrypted usernames and passwords (which is much, much worse). ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |