ONE big hack affecting password management giant LastPass looks much worse than first thought. In an update announcement two days before Christmas, LastPass CEO Karim Toubba admitted that the attackers were able to copy a backup of customer vault data. With this data in hand, attackers could potentially gain access to users’ entire collection of passwords and other data stored with LastPass if they can find a way to guess a user’s master password.
In an effort to prevent an immediate spike in heart attacks, Toubba warned that it would be “extremely difficult” to guess master passwords for customers using the company’s default settings and best practices. For those users, it could take attackers “millions of years” to crack these codes using “generally available password cracking technology,” according to the CEO. LastPass says it should not have access to users’ master passwords.
This comforting assurance does not necessarily apply to users with weaker master passwords. In these cases, LastPass advised users to go in and change the passwords for all the sites they have saved. can mean an exhausting, labor-intensive day of frantically resetting account information. And while it may be true that strong master passwords can be challenging to guess, even the strongest passwords can be at risk if they were used on another site that was previously breached. There is nobody lack of previously hacked passwords that only sit on dark web markets. Affected LastPass customers may also find themselves inundated with annoying phishing attempts trying to trick them into unwittingly handing over the keys to the kingdom.
In addition to the passwords, Toubba said the stolen vault data includes “fully encrypted sensitive fields such as website usernames and passwords, secure notes and form-filled data,” along with unencrypted URLs. Sophisticated attacks, The Verge notescould use information conveyed through the websites a user visits to create more convincing phishing campaigns.
LastPass did not immediately respond to Gizmodo’s request for comment.
For a company whose primary service revolves around collecting and protecting passwords in one secure place, this is about as bad as it gets. LastPass first revealed the latest attacks in a blog post late last month. At the time, the company said cryptically that the attacker was able to access “certain elements” of “customers’ information,” without providing further details. The company went on to say that no customer passwords were affected by the incident, i.e technically true, but as we now know, only tells part of the story.
To make matters worse, this latest hack appears to have been made possible of an earlier incident that occurred only six months ago. If so, the company says the attacker appears to have stolen “source code and technical information” from the development environment and used it to target an employee to obtain their credentials.
See, in a digital world that requires users to have dozens upon dozens of credentials, password managers are increasingly a security requirement. At the same time, the high concentration of sensitive information makes password manager sites some of the most appetizing targets for bad actors. LastPass should have seen this coming and should have disclosed these details to customers earlier if the findings were available.