I found more startling information about the recent LastPass breach to follow up on Scott's initial post. The article comes from the security firm, Sophos. It refers to the LastPass announcement just days ago:
QuoteThe threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.
To which Sophos comments:
QuoteLoosely speaking, the crooks now know who you are, where you live, which computers on the internet are yours, and how to contact you electronically.
Yikes!
But that's not the worst part. The announcement also notes:
QuoteThe threat actor was also able to copy a backup of customer vault data.
The vault is what LastPass uses to refer to the database of stored passwords (as in password vault). Double yikes!
But if you use LastPass, you don't necessarily have to be alarmed. Because the actual login and password information is stored only in an encrypted format using very strong encryption. The master password is never sent to the server in unencrypted format and never stored on their servers. So if you chose a strong master password, it will be very hard for hackers to get at the actual passwords even with the vault. That's also assuming you didn't use this strong master password elsewhere (i.e. on a website that might be hacked). If you also have it set to use 2FA, that's even better. However, the vault apparently uses both encrypted and unencrypted information. The unencrypted information includes the website addresses you visit. But we don't know yet what else it may include.
Sophos has more information and some suggestions on what to do if you're a LastPass customer.
https://nakedsecurity.sophos.com/2022/12/23/lastpass-finally-admits-they-did-steal-your-password-vaults-after-all/?utm_source=pocket_reader
Thanks for the good info, Jason.
I try to change my passwords for all my critical web sites (banks, sites that might store my credit card number, etc) about twice a year. That way if some hacker has download a website's file that holds an encrypted copy of login passwords, then they would have to break that password within 6 months.
Quote from: ssfc72 on December 26, 2022, 04:25:11 AM
Thanks for the good info, Jason.
I try to change my passwords for all my critical web sites (banks, sites that might store my credit card number, etc) about twice a year. That way if some hacker has download a website's file that holds an encrypted copy of login passwords, then they would have to break that password within 6 months.
That's not a bad idea. I don't change them that often but I use a long, complex password (over 50 characters if they allow it) for anything that has credit card or bank info. In the LastPass breach, apparently, the hackers got this data back in August. So all this time, at least some people have had their vaults in the possession of miscreants. I hope they used a strong master password and 2FA. I used 2FA with LastPass. Only reason I paid for the premium version.