After being hacked for the second time this year, LastPass’s password manager acknowledged that the incident was much more serious than the company reported: they managed to steal personal data, including Passwords.
Key managers, or “password managers”, are programs that manage all our keys in one place, remember them for us, and even suggest very complex character combinations that we don’t have to remember.
In general they are useful because they allow you to generate stronger keys and manage the multiplicity of passwords in use today. But, of course, they have a big potential weakness: if they access the master key, They access all keys.
“Customer data has not been accessed during the accident August 2022,” explained LastPass CEO Karim Toubba. However, part of the app’s source code was mined and then used to trick a Lastpass employee into giving up their login credentials, then used those keys to decrypt and copy “some storage volumes within cloud based storage service “.
The encrypted data obtained by the hackers includes basic customer account information such as company names, billing, email, and IP addresses; Y Phone numbers, Toubba continued.
“These encrypted fields remain protected with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture,” said Toubba. “As a reminder, LastPass never know the master password and LastPass doesn’t store or maintain it,” he said.
However, in the field of computer security, this claim is unreliable and many experts say that passwords have been leaked.
For this reason it is recommended not only to change the master key but also to always have el Second factor authentication enabled.
It is worth mentioning that the company was also hacked in August.
The LastPass security breach
The company disclosed another data breach earlier this month in which cybercriminals gained access to customer data stored in a third-party cloud service.
According to the company’s CEO, Karim Toubba, the attackers had used information stolen from the August this year security breach with the company to gain access to the company’s shared cloud space. with your GoTo affiliate.
In August 2022, LastPass confirmed that a threat actor had compromised the company’s development environment for four days using a developer account. They also obtained access to source code and some proprietary technical information, but disclosed that customer data and proprietary information had not been accessed. times of encrypted passwords.
This time, however, the leak has consequences for its users. LastPass had alleged that the attacker used information obtained in the previous incident to facilitate the November 2022 data breach and gain access to undisclosed elements of LastPass’s customer information.
He now confirms that the leak is more serious than previously thought.
Source: Clarin
Linda Price is a tech expert at News Rebeat. With a deep understanding of the latest developments in the world of technology and a passion for innovation, Linda provides insightful and informative coverage of the cutting-edge advancements shaping our world.