The password manager's most recent data breach is so concerning, users need to take immediate steps to protect themselves.
r to generate strong, unique passwords and keep track of them for you. And if you finally took the plunge with a free and mainstream option, particularly during the 2010s, it was probably LastPass. For the security service's 25.
6 million users, though, the company madelast week: A security incident the firm previously reported on November 30 was actually a massive and concerning data breach that exposed encrypted password vaults—the crown jewels of any password manager—along with other user data. The details LastPass provided about the situation last Thursday were worrying enough that security professionals quickly started calling for users to switch to other services. Now, nearly a week since the disclosure, the company has not provided additional information to confused and worried customers. LastPass has not returned WIRED's multiple requests for comment about how many password vaults were compromised in the breach and how many users overall were affected. The company hasn't even clarified when the breach occurred. It seems to have been sometime after August 2022, but the timing is significant because a big question is how long it will take attackers to start “cracking” or guessing the keys used to encrypt the stolen password vaults. If attackers have already had three or four months with the stolen data, the situation is even more urgent for impacted LastPass users than if hackers have only had a few weeks. The company also did not respond to WIRED's questions about what it calls “a proprietary binary format” it uses to store encrypted and unencrypted vault data. In characterizing the scale of the situation, the company simply said in its announcement last week that hackers were “able to copy a backup of customer vault data from the encrypted storage container.” “In my opinion they are doing a world-class job detecting incidents, and a really, really crummy job preventing issues and responding transparently,” says Evan Johnson, a security engineer who worked at LastPass more than seven years ago. “I'd be either looking for new options or looking to see a renewed focus on building trust over the next few months from their new management team.” The breach also includes other customer data, including names, email addresses, phone numbers, and some billing information. And LastPass has long been criticized for storing its vault data in a hybrid format where items like passwords are encrypted, but other information like URLs are not. In this situation, the plaintext URLs in a vault could give attackers an idea of what’s inside and help them to prioritize which vaults to work on cracking first. The vaults, which are protected by a user-selected master password, pose a particular problem for users seeking to protect themselves in the wake of the breach because changing that primary password now with LastPass won't do anything to protect the vault data that's already been stolen. Or, as Johnson puts it, “With vaults recovered, the people who hacked LastPass have unlimited time for offline attacks by guessing passwords and attempting to recover specific user's master key."
United States Latest News, United States Headlines
Similar News:You can also read news stories similar to this one that we have collected from other news sources.
Can you eat your Christmas tree? Why, yes!But you might want to start by sipping it instead. Forager Maria Wesserle says a lot of evergreen species are edible and are often used to make a tea, syrup
Read more »
Okay, Wait: Can I Put Body Lotion on My Face?Although it sounds like a no-go, the answer is often 'yes.'
Read more »
Elon Musk's circle of yes-men could be 'perilous' for CEO: expertsElon Musk is surrounded by yes-men, and it's a recipe for disaster: 'The emperor has no clothes, but everybody's too afraid to tell him'
Read more »
30 party perfect canap\u00e9 recipesDitch the ready-made vol-au-vents and try an easy homemade idea instead
Read more »
The LastPass disclosure of leaked password vaults is being torn apart by security experts“LastPass’s claim of ‘zero knowledge’ is a bald-faced lie.”
Read more »