AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |
Back to Blog
Lastpass breach 201511/18/2023 ![]() ![]() We are privileged to serve millions of users and more than 100,000 businesses, and we want to ensure that all of our customers have the information they need to answer their questions. What actions should you take to protect yourself or your business?.What happened and what actions did we take?.In today’s update, I’ll review those measures and highlight additional security steps that we are taking. Over the same period, we invested a significant amount of time and effort hardening our security while improving overall security operations. We have now completed an exhaustive investigation and have not seen any threat-actor activity since October 26, 2022.ĭuring the course of our investigation, we have learned a great deal more about what happened and are sharing new findings today. We’ve received a variety comments from industry leaders on this breach, and you can read them here.I want to share with you an important update about the security incident we disclosed on December 22, 2022. Hopefully LastPass will come up with updates on the situation soon. ![]() Other potential risk he pointed out include accounts and folders shared with LastPass, and the fact that the LastPass browser extension could have been tampered with. “If this were the case, there would be little an end user could do to mitigate the risk besides going through every account stored within LastPass and changing the passwords.” If the hashes AND encrypted vaults were stolen, the attacker could take their sweet time to crack all the hashes and decrypt the vaults,” commented Steve Manzuik, Director of Security Research at Duo Security’s Duo Lab. “LastPass claims that the encrypted vaults were not stolen. Given the very short period between the discovery of the breach and the company’s warning, it’s possible that the real extent of the breach is still unknown. The company has said that they have started sending out warnings about this incident to user via email, but many have commented that they didn’t receive one yet and expressed their anger about finding out about it via news sites.Īnother thing that users should be worried about and on the lookout for is fake LastPass email notifications sent by crooks phishing for additional user information. The company also advises users to change that same password if they (contrary to often-repeated advice) used in for other online services or websites.įinally, they are urging users to take advantage of the multifactor authentication option that the company is offering. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.”Īpparently, no encrypted user vault data was taken and LastPass user accounts were accessed, so there is no need for users to change the various site passwords they keep stored in their vault.īut despite the strong encryption used by the company, a master password change will be forced on users just in case. “We are confident that our encryption measures are sufficient to protect the vast majority of users,” LastPass CEO and co-founder Joe Siegrist noted, and explained: “LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. Suspicious activity on the company’s network was discovered on Friday, and the subsequent investigation revealed that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised. ![]() LastPass, the company behind the popular password management service of the same name, has announced on Monday that they have suffered a breach, and has urged users to verify their account and update their master password. ![]()
0 Comments
Read More
Leave a Reply. |