Given that everyone’s threat model is different, no one person will have the same requirements as the other. But security incidents like this are a reminder that not all password managers are created equal and can be attacked, or compromised, in different ways. Password managers are overwhelmingly a good thing to use for storing your passwords, which should all be long, complex and unique to each site or service. Toubba said that the cybercriminals also took vast reams of customer data, including names, email addresses, phone numbers and some billing information.
But the company warned that the cybercriminals behind the intrusion “may attempt to use brute force to guess your master password and decrypt the copies of vault data they took.” LastPass said customers’ password vaults are encrypted and can only be unlocked with the customers’ master password, which is only known to the customer. It’s not clear how recent the stolen backups are. The unencrypted data includes vault-stored web addresses.
The cache of customer password vaults is stored in a “proprietary binary format” that contains both unencrypted and encrypted vault data, but technical and security details of this proprietary format weren’t specified. In an updated blog post on its disclosure, LastPass CEO Karim Toubba said the intruders took a copy of a backup of customer vault data by using cloud storage keys stolen from a LastPass employee. Password manager giant LastPass has confirmed that cybercriminals stole its customers’ encrypted password vaults, which store its customers’ passwords and other secrets, in a data breach earlier this year.
0 kommentar(er)
