Data Theft: LastPass Says Hackers Copied Backup of Customer Vault Data
In a statement, the company said that the threat actor "was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data".
New Delhi, December 23: Encrypted password manager LastPass has admitted that hackers were able to "copy a backup of customer vault data," in a recent data breach.
LastPass is a freemium password manager that stores encrypted passwords online. Data Theft: 6 Out of 10 Indians Report Personal Information Breach by Their Loan Service Providers.
In a statement, the company said that the threat actor "was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data".
It means that the threat actor may attempt to use brute force to "guess your master password and decrypt the copies of vault data they took". The threat actor may also target customers with phishing attacks, credential stuffing, or other brute force attacks against online accounts associated with "your LastPass vault". Data Theft: Two ‘Hack’ Into UIDAI Website, Steal Aadhaar Numbers, Other Information of Citizens To Sell to Third Parties; Arrested by Mumbai Police.
"In order to protect yourself against social engineering or phishing attacks, it is important to know that LastPass will never call, email, or text you and ask you to click on a link to verify your personal information," the company added. The company recommended its users to never reuse master passwords on other websites.
"If you reuse your master password and that password was ever compromised, a threat actor may use dumps of compromised credentials that are already available on the Internet to attempt to access your account," said the company. Earlier this month, Karim Toubba, the CEO of LastPass, admitted its systems were compromised for the second time this year.
The company detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo. The earlier security breach in August this year had allowed hackers internal access to the company's systems for four days until they were detected and evicted.
(The above story first appeared on LatestLY on Dec 23, 2022 01:06 PM IST. For more news and updates on politics, world, sports, entertainment and lifestyle, log on to our website latestly.com).