LastPass has new information regarding the security incident that occurred in 2022. Personal data was stolen. Backups containing passwords too, but these archives are encrypted.
The contours of the hack that affected LastPass this year are becoming clearer. In a status report published on December 22, the management of the password manager confirmed that personal data was indeed recovered by the hacker(s). But another piece of information is likely to cause greater concern, as it relates to passwords.
LastPass reports that attackers, once they gained access to its cloud, were able to copy certain information, including ” a backup of the client’s vault data from the encrypted storage container “. However, it is in this safe that we can find certain sensitive data, in particular passwords.
It may seem surprising, at first glance, to find that the safe containing such critical elements exists outside the Internet user’s terminal.
This is in fact not entirely surprising in view of the functionalities generally offered by password managers, such as backup (in order to find your safe in the event of a problem on the terminal – if it is reset by example) or synchronization (to easily find your passwords on another device, such as a PC).
Safes circulating, but without the key to open them
In the data in this vault, it turns out that some information was unencrypted — because it didn’t need special protection (here, LastPass cites the addresses of the websites where customers have an account and , therefore, a password to save). But the others, the most critical, such as usernames and passwords, are well encrypted.
” These encrypted items remain secured with 256-bit AES encryption and can only be decrypted using a unique encryption key derived from each user’s master password […] As a reminder, the master password is never known to LastPass and is neither stored nor maintained by LastPass. says the company in its announcement post.
What the American company is trying to say is that this encrypted backup of the safe is unusable without this unique key. Granted, there’s some peripheral data exposed — like website names, but it says “just” where you can have an account; it does not allow access to your private space – but the essential remains safe.
” Data encryption and decryption is performed only on the local LastPass client “, adds the company. Clearly, all delicate operations take place on the Internet user’s device and the master password is not managed by LastPass (it is in fact the only password that the Internet user must strengthen and absolutely memorize ).
Among the other exposed information, LastPass mentions personal information: usernames, billing addresses, e-mail addresses, telephone numbers, IP addresses (from which Internet users access the LastPass service) and various other metadata.
In the case of passwords, LastPass considers that there is still no real risk for Internet users despite vault backups lying around in the wild. ” It would take millions of years to guess your master password using common password cracking technology “Judges the company.
The assailant ” may attempt to use brute force to guess your master password and decrypt the copies of vault data it has taken But again, says LastPass, that’s not plausible. “ It would be extremely difficult to guess by brute force » these special passwords, thanks, explains the company, to these technical choices
Regarding personal data, on the other hand, it is more annoying, because it will lead to phishing operations. It is through this stratagem that hackers will try to obtain this famous master password, using all the peripheral data obtained during this breakage to pretend to be LastPass. This is where the most immediate risk lies.
What if you’re at LastPass?
If you are at LastPass, what should you do? According to the indications given by the company, here is what is recommended:
- To be highly observant and attentive to future emails that might impersonate LastPass, not to reply to them, and not to fill in anything from a link that is given (such as a form);
- To ensure that the master password to unlock your safe is truly unique and that you do not also use it for your online accounts;
- If you have a LastPass account prior to 2018 and/or have changed LastPass’s default settings for some reason, it may be safer to refresh site passwords now. which you are on.
According to LastPass, if the master password does not use the defaults, ” this would greatly reduce the number of attempts needed to guess it correctly “. To reduce the risks, LastPass therefore recommends renewing now, even if there is no proven and immediate danger. Sometimes prevention is better than cure.
