LastPass has released a detailed analysis after the platform was hacked in August, revealing that the attackers “Backup copy of client vault data“, or to put it another way, user passwords are at risk, as long as they can be decrypted Stolen vault.
LastPass CEO Karim Touba posted on the platform’s blog that even though user information is in possession of attackers, This data is still secure If you have a strong master password and have followed the recommended configuration settings.
Conversely, if you don’t have a secure master password, the company suggests that the ideal to change the passwords of websites Which has been stored, virtually all passwords are changing.
Passwords are still secure even after being hacked
LastPass notes that user data is still protected by the account’s master password, and that several mechanisms are in place to ensure that information cannot be accessed Although this position can be questioned as to how the communication of the attack has been handled.
Let us tell you that in August, LastPass revealed that it had faced a computer attack, but Data not believed to have been accessed of users. Later, in November, he revealed an intrusion that would have used information stolen from a previous incident with which he was able to access”.some elements“customer information, although there was no evidence that it was accessed Credit Card Information unencrypted.
Toubba explains that a duplicate backup of the data was made in the client’s vault, which contains unencrypted data, which includes, Website URL, sensitive field Encrypted as usernames, passwords, secure notes and data filled in forms.
However, Toubba details that the only way to access this information is This is through the master password information that LastPass never had access to, so it “It is extremely difficult to brute force to guess the password“(a technique that involves randomly trying to find the correct one), as long as they have not been reused and encrypted correctly.
Some of the risks from this leak are in favor of attackers, for example Know the URLs where users have logged in So that they can target certain people specifically by getting to know their specific accounts.
Main problem, as it turns out ledge is that despite the fact that they have acknowledged the problem and are working on a solution, the company’s communication has been weak, informing that vault was not compromised which actually happened.
Meanwhile, LastPass is taking precautions from initial and secondary breaches, integrating more logs to detect suspicious activity in the future, improving its infrastructure and increasing credential turnover.