Author Topic: Analysis of LastPass breach (Sophos)  (Read 125 times)

0 Members and 1 Guest are viewing this topic.

Offline Jason

  • Administrator
  • Master
  • *****
  • Posts: 4190
  • Humanist. Skeptic. Husband. Citizen.
Analysis of LastPass breach (Sophos)
« on: December 25, 2022, 04:29:04 am »
I found more startling information about the recent LastPass breach to follow up on Scott's initial post. The article comes from the security firm, Sophos. It refers to the LastPass announcement just days ago:

Quote
The threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.

To which Sophos comments:

Quote
Loosely speaking, the crooks now know who you are, where you live, which computers on the internet are yours, and how to contact you electronically.

Yikes!

But that's not the worst part. The announcement also notes:

Quote
The threat actor was also able to copy a backup of customer vault data.

The vault is what LastPass uses to refer to the database of stored passwords (as in password vault). Double yikes!

But if you use LastPass, you don't necessarily have to be alarmed. Because the actual login and password information is stored only in an encrypted format using very strong encryption. The master password is never sent to the server in unencrypted format and never stored on their servers. So if you chose a strong master password, it will be very hard for hackers to get at the actual passwords even with the vault. That's also assuming you didn't use this strong master password elsewhere (i.e. on a website that might be hacked). If you also have it set to use 2FA, that's even better. However, the vault apparently uses both encrypted and unencrypted information. The unencrypted information includes the website addresses you visit. But we don't know yet what else it may include.

Sophos has more information and some suggestions on what to do if you're a LastPass customer.

https://nakedsecurity.sophos.com/2022/12/23/lastpass-finally-admits-they-did-steal-your-password-vaults-after-all/?utm_source=pocket_reader



* Pop OS 22.04 on a PC desktop with a 3.6 GHz i5 (quadcore) processor, 12 GB RAM, and 512 GB Kingston SSD
* Lenovo 300e Chromebook (2nd generation)
* Motorola One 5G Ace with Android 11, Octo-core processor, 4 GB RAM and 128 GB internal storage

Offline ssfc72

  • Member
  • Master
  • *
  • Posts: 2048
Re: Analysis of LastPass breach (Sophos)
« Reply #1 on: December 26, 2022, 04:25:11 am »
Thanks for the good info, Jason.
I try to change my passwords for all my critical web sites (banks, sites that might store my credit card number, etc) about twice a year. That way if some hacker has download a website's file that holds an encrypted copy of login passwords, then they would have to break that password within 6 months.
Mint 19.1 on a Dell 14" Inspiron notebook, HP Pavilion X360, 11" k120ca notebook (Linux Lubuntu), Dell 13" XPS notebook computer (MX Linux)
Cellphone Samsung A50, PCMobile pay as you go

Offline Jason

  • Administrator
  • Master
  • *****
  • Posts: 4190
  • Humanist. Skeptic. Husband. Citizen.
Re: Analysis of LastPass breach (Sophos)
« Reply #2 on: December 27, 2022, 06:11:39 pm »
Thanks for the good info, Jason.
I try to change my passwords for all my critical web sites (banks, sites that might store my credit card number, etc) about twice a year. That way if some hacker has download a website's file that holds an encrypted copy of login passwords, then they would have to break that password within 6 months.

That's not a bad idea. I don't change them that often but I use a long, complex password (over 50 characters if they allow it) for anything that has credit card or bank info. In the LastPass breach, apparently, the hackers got this data back in August. So all this time, at least some people have had their vaults in the possession of miscreants. I hope they used a strong master password and 2FA. I used 2FA with LastPass. Only reason I paid for the premium version.
* Pop OS 22.04 on a PC desktop with a 3.6 GHz i5 (quadcore) processor, 12 GB RAM, and 512 GB Kingston SSD
* Lenovo 300e Chromebook (2nd generation)
* Motorola One 5G Ace with Android 11, Octo-core processor, 4 GB RAM and 128 GB internal storage