Business and personal users of the LassPass password management solution are being warned to take defensive action after the company copied customer information and encrypted data stored in the service’s digital vault in a supply chain attack by a hacker.
“Users should beware of sophisticated phishing attacks aimed at stealing their master passwords,” said Mike Walters, vice president of vulnerability and threat research. action 1, patch management solutions provider. “An attacker can impersonate LastPass, regulatory authorities, and other organizations and trick users into sharing their credentials. Remember, modern phishing can go beyond the average email and combine a variety of communication channels, such as Phone calls, SMS, messengers and others.
“I recommend that all users change their master passwords and implement password security best practices. This includes creating a strong master password that is at least 30 characters long, re-encrypting the password vault, and enabling multi-factor authentication (MFA).” enable is included.
His advice comes after LastPass CEO Karim Touba admitted there was a data breach last August Worse than he described earlier this month. A hacker accessed a third-party cloud-based storage service that LastPass uses to store archived backups of its production data using information gleaned from an August attack.
After further investigation, the company realized that once the cloud storage access key and dual storage container decryption key were obtained, the threat actor copied information from the backup, including company names, last-user names, Basic customer account information and associated metadata, including billing, were included. addresses, email addresses, telephone numbers and IP addresses from which customers were using the LastPass service.
In addition, the hacker also copied an encrypted backup of customer vault data from an encrypted storage container. “These encrypted fields remain secure with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our zero knowledge architecture,” Tuba said in a blog. “As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass. Encryption and decryption of data is performed only on the user’s local LastPass client.
“Due to the hashing and encryption methods we use to protect our customers, it would be extremely difficult for customers who follow our password to brute force attempt to guess the master password best practiceshe maintained.
“This incident shows that an experienced attacker can exploit a company’s security vulnerabilities and steal sensitive customer data, even if he initially gained access to a certain portion of the corporate infrastructure,” Walters said. , which is not directly related to this sensitive data.”
