LastPass, the popular service for managing all your various passwords, has confirmed a major data hack by an 'unknown threat actor' that has put customers' data at risk.
If you currently use LastPass, the company says you should review your master password: the one that protects your online vault containing all your other stored passwords.
If you suspect that your master password is weak or insecure, LastPass advises that you change it immediately, and also change all the individual passwords you've got saved in your LastPass vault.
Anitivirus software reviews – comprehensively tested software for safeguarding your PC or Mac from malware, viruses and other threats.
Treasure trove of user data exposed in the LastPass attack
In August 2022, LastPass reported that a hacker had acceesssed one of its cloud-based storage environments.
It now materialises that the attacker used this to steal software code and technical information.
In November, the attacker used their stolen information to target a LastPass employee and in turn steal login credentials, enabling them to access more customer data.
The stolen 'basic customer account information', as LastPass describes it, includes user names, billing addresses, email addresses, telephone numbers, and IP addresses used to access LastPass.
The hack also included a copy of other customer data, including websites browsed to, user names and passwords, secure notes and data used to auto-fill online forms.
All this information would be very valuable to a cyber-criminal in building up a picture of an individual in order to target them for identity theft, blackmail and other types of scam.
Wow, that sounds bad...
It does indeed, but LastPass has said that this information can only be decrypted – turned into a format that a person can actually read – if the hacker can get a unique encryption key derived from each user’s master password.
LastPass does not know user's master passwords and they are not stored or maintained by LastPass. If you're a LastPass user, only you know your master password. The company describes this as its 'zero knowledge architecture'.
However, if you have set an easily crackable master password, you could be at risk of a cybercriminal breaching your password and decrypting the stolen data.
Tech newsletter - sign up to get independent and jargon free news, reviews and advice on everything tech
What to do if you are a LastPass customer
First of all, don't panic. But do check your LastPass master password.
Alongside the mandatory 12-character length imposed by LastPass in 2018 (if you were an earlier user, you may still have a shorter password), your master password should have been made sufficiently complex using an established password creation method, such as the one detailed here.
Your password should not be reused elsewhere in case it is compromised in a separate data breach. If that happened, it could then be used to target your account in what is known as a 'credential stuffing' attack.
LastPass said in a blog post confirming the attack that for anyone using a secure password creation method, 'it would take millions of years to guess your master password using generally-available password-cracking technology'.
'Your sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass’ Zero Knowledge architecture. There are no recommended actions that you need to take at this time.'
However, the company added that, for those who hadn't created a secure master password, this this would 'significantly reduce the number of attempts needed to guess it correctly'.
'In this case, as an extra security measure, you should consider minimizing risk by changing passwords of websites you have stored,' LastPass added.
The company said that it has contacted 'law enforcement and relevant regulatory authorities' about the incident.
Is it safe to use a password manager?
Despite this data breach, using an online password manager is still safer than not using one. We all have lots of online accounts, and juggling various different passwords is hard.
Password managers are a convenient and secure way to do that. But that doesn't mean it has to be LastPass that you use.
LastPass has been attracting some criticism from the security community for its response to this data breach. Some have questioned its statements, and expressed concern that it is putting a lot of the onus on the user to have secured their own master password as the last line of defence.
If you are a LastPass customer or are considering being one, you can vote with your feet. There are other services out there, such as Dashlane and 1Passsword, that are also worth considering if you prefer.
source https://www.which.co.uk/news/article/lastpass-hit-by-major-data-hack-what-you-need-to-know-aH9H00s851HM