Front-page

LastPass hacked for the second time this year, customer data stolen by hacker

asset_upload_file39648_234597.png

If you use LastPass as a secure password-managing service, things might not be as secure as you think. Earlier this year in August, the password keeper disclosed that it had been breached, with an unknown hacker having gained access to LastPass' source code and proprietary data. At the time, the company stressed that despite this, customers were unaffected by the hack, and that their data was safe. Now, for the second time this year, LastPass is having to announce that they have been hacked for a second time this year, and that in this incident, customer data has indeed been accessed and stolen.

According to an internal investigation, that same hacker used the data (cloud storage access and dual storage container decryption keys from August in order to get ahold of a backup of LastPass customer data. This means that the individual was able to access billing addresses, telephone numbers, IP addresses, and email addresses saved to users' accounts. That isn't the end of the breach, though, because the hacker also copied a backup of vault data, which contains the most sensitive info; usernames, passwords, and saved form-field data. LastPass claims that no credit card data was accessed, as the service does not store complete credit card numbers and information.

While the information like email addresses and telephone numbers were not encrypted, the password vaults were, with a 256-bit AES encryption, requiring a special key in the form of a user's master password to access. So despite having this information, LastPass claims that this would make it incredibly difficult for the hacker to actually obtain the data from the customer vault. That being said, there is the potential for someone to either brute force the master password, or eventually decrypt the data.

The threat actor may also target customers with phishing attacks, credential stuffing, or other brute force attacks against online accounts associated with your LastPass vault. In order to protect yourself against social engineering or phishing attacks, it is important to know that LastPass will never call, email, or text you and ask you to click on a link to verify your personal information. Other than when signing into your vault from a LastPass client, LastPass will never ask you for your master password.
Click to expand...

With all this in mind, LastPass says that there isn't a need to take action at this time, unless your master password was not as secure as recommended. This is just the latest in a string of numerous hacks that the password managing service has suffered over the past few years, with incidents taking place in 2015, 2017, and 2019, all resulting in customer data being accessed by hackers.

:arrow: Source
 
  • Like
  • Haha
  • Sad
Reactions: Mama Looigi, noob404, uzimakiuchiha and 11 others
Click to expand...
Kioku

Kioku

猫。子猫です!
Member
Level 25
Joined
Jun 24, 2007
Messages
12,007
Trophies
3
Location
In the Murderbox!
Website
www.twitch.tv
XP
16,144
Country
United States
I_g_o_r said:
Unhackable means that there is no place from which they can be hacked.
Post automatically merged:

Other options are stateless passwords, dynamical passwords, generated on demand passwords.
Click to expand...
I'd rather have a physical security key than the last two password options...
 
I

I_g_o_r

New Member
Newbie
Level 1
Joined
Jan 10, 2023
Messages
3
Trophies
0
Age
49
XP
22
Country
Canada
Kioku_Dreams said:
I'd rather have a physical security key than the last two password options...
Click to expand...
physical security keys can be broken, stolen, damaged, confiscated, etc.

Some of them rely on encryption.
Researchers claim that they can break encryption with 372 qubits quantum computer
IBM has 433 qubits quantum computer
In 2023 IBM will have 1000 qubits quantum computer and promises 4000 qubits quantum computer in 2025.
 
Kioku

Kioku

猫。子猫です!
Member
Level 25
Joined
Jun 24, 2007
Messages
12,007
Trophies
3
Location
In the Murderbox!
Website
www.twitch.tv
XP
16,144
Country
United States
I_g_o_r said:
physical security keys can be broken, stolen, damaged, confiscated, etc.

Some of them rely on encryption.
Researchers claim that they can break encryption with 372 qubits quantum computer
IBM has 433 qubits quantum computer
In 2023 IBM will have 1000 qubits quantum computer and promises 4000 qubits quantum computer in 2025.
Click to expand...
Nothing is "unhackable".. That's kind of the point, ain't it?

Also, what generates "on demand" passwords if not a physical device? Can that not be stolen? There are holes in virtually every security "solution"... Most 2FA can be circumvented just by taking someone's phone...
 
Last edited by Kioku,

Site & Scene News

Go to forum More news

Popular threads in this forum

Atmosphere CFW for Switch updated to pre-release version 1.7.0, adds support for firmware 18.0.0

Wii U and 3DS online services shutting down today, but Pretendo is here to save the day

GBAtemp Exclusive  Introducing tempBOT AI - your new virtual GBAtemp companion and aide (April Fools)

The first retro emulator hits Apple's App Store, but you should probably avoid it

Delta emulator now available on the App Store for iOS

MisterFPGA has been updated to include an official release for its Nintendo 64 core

Nintendo Switch firmware update 18.0.1 has been released

"TMNT: The Hyperstone Heist" for the SEGA Genesis / Mega Drive gets a brand new DX romhack with new features

General chit-chat
Help Users
    Psionic Roshambo @ Psionic Roshambo: Maybe but is it worth it?