• Welcome to Peterborough Linux User Group (Canada) Forum.
 

Analysis of LastPass breach (Sophos)

Started by Jason, December 25, 2022, 04:29:04 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Jason

I found more startling information about the recent LastPass breach to follow up on Scott's initial post. The article comes from the security firm, Sophos. It refers to the LastPass announcement just days ago:

QuoteThe threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.

To which Sophos comments:

QuoteLoosely speaking, the crooks now know who you are, where you live, which computers on the internet are yours, and how to contact you electronically.

Yikes!

But that's not the worst part. The announcement also notes:

QuoteThe threat actor was also able to copy a backup of customer vault data.

The vault is what LastPass uses to refer to the database of stored passwords (as in password vault). Double yikes!

But if you use LastPass, you don't necessarily have to be alarmed. Because the actual login and password information is stored only in an encrypted format using very strong encryption. The master password is never sent to the server in unencrypted format and never stored on their servers. So if you chose a strong master password, it will be very hard for hackers to get at the actual passwords even with the vault. That's also assuming you didn't use this strong master password elsewhere (i.e. on a website that might be hacked). If you also have it set to use 2FA, that's even better. However, the vault apparently uses both encrypted and unencrypted information. The unencrypted information includes the website addresses you visit. But we don't know yet what else it may include.

Sophos has more information and some suggestions on what to do if you're a LastPass customer.

https://nakedsecurity.sophos.com/2022/12/23/lastpass-finally-admits-they-did-steal-your-password-vaults-after-all/?utm_source=pocket_reader



* Zorin OS 17.1 Core and Windows 11 Pro on a Dell Precision 3630 Tower with an
i5-8600 3.1 GHz 6-core processor, dual 22" displays, 16 GB of RAM, 512 GB Nvme and a Geforce 1060 6 GB card
* Motorola Edge (2022) phone with Android 13

ssfc72

Thanks for the good info, Jason.
I try to change my passwords for all my critical web sites (banks, sites that might store my credit card number, etc) about twice a year. That way if some hacker has download a website's file that holds an encrypted copy of login passwords, then they would have to break that password within 6 months.
Mint 20.3 on a Dell 14" Inspiron notebook, HP Pavilion X360, 11" k120ca notebook (Linux Lubuntu), Dell 13" XPS notebook computer (MXLinux)
Cellphone Samsung A50, Koodo pre paid service

Jason

Quote from: ssfc72 on December 26, 2022, 04:25:11 AM
Thanks for the good info, Jason.
I try to change my passwords for all my critical web sites (banks, sites that might store my credit card number, etc) about twice a year. That way if some hacker has download a website's file that holds an encrypted copy of login passwords, then they would have to break that password within 6 months.

That's not a bad idea. I don't change them that often but I use a long, complex password (over 50 characters if they allow it) for anything that has credit card or bank info. In the LastPass breach, apparently, the hackers got this data back in August. So all this time, at least some people have had their vaults in the possession of miscreants. I hope they used a strong master password and 2FA. I used 2FA with LastPass. Only reason I paid for the premium version.
* Zorin OS 17.1 Core and Windows 11 Pro on a Dell Precision 3630 Tower with an
i5-8600 3.1 GHz 6-core processor, dual 22" displays, 16 GB of RAM, 512 GB Nvme and a Geforce 1060 6 GB card
* Motorola Edge (2022) phone with Android 13