Security News > 2022 > December > LastPass says attackers got users’ info and password vault data
The August 2022 LastPass breach has resulted in potentially catastrophic consequences for the company and some of its users: attackers have made off with unencrypted customer data and copies of backups of customer vault data.
"These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user's master password using our Zero Knowledge architecture. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass. The encryption and decryption of data is performed only on the local LastPass client."
LastPass says that, if users followed best security practices - having a master password of 12+ characters and not having used it for other accounts - current password-cracking technology will get attackers nowhere.
"The threat actor may also target customers with phishing attacks, credential stuffing, or other brute force attacks against online accounts associated with your LastPass vault. In order to protect yourself against social engineering or phishing attacks, it is important to know that LastPass will never call, email, or text you and ask you to click on a link to verify your personal information. Other than when signing into your vault from a LastPass client, LastPass will never ask you for your master password," Toubba said.
That's not enough! Since LastPass does not encrypt website URLs, the attackers have enough data for launching targeted phishing campaigns impersonating other services.
"The painful thing for LastPass users who did unfortunately reuse their master password on other sites is that this case is now an *offline* attack - which means 2FA or changing one's LastPass web password won't help much - the attackers have a point-in-time snapshot of all the credentials in those stolen vaults. And if you were using a weak master password when they were stolen, you're screwed," noted security researcher Kenneth White.
News URL
https://www.helpnetsecurity.com/2022/12/23/lastpass-breach-customer-vault/