![]() ![]() LastPass said then that the threat actor had also obtained a cloud storage access key and dual storage container decryption keys, allowing for the copying of customer vault backup data from the encrypted storage container. Once in possession of the decrypted vault, the threat actor exported the entries, including the “decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups.” Advertisementįurther Reading LastPass users: Your info and password vault data are now in hackers’ handsMonday’s update comes two months after LastPass issued a previous bombshell update that for the first time said that, contrary to previous assertions, the attackers had obtained customer vault data containing both encrypted and plaintext data. The hacked DevOps engineer was one of only four LastPass employees with access to the corporate vault. “The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault.” “This was accomplished by targeting the DevOps engineer’s home computer and exploiting a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware,” LastPass officials wrote. Among other things, the vault gave access to a shared cloud-storage environment that contained the encryption keys for customer vault backups stored in Amazon S3 buckets. In the process, the unknown threat actor was able to steal valid credentials from a senior DevOps engineer and access the contents of a LastPass data vault. If you had a weak master password and also stored any personally identifiable information in a LastPass Secure Note, you may also want to consider these identity theft protection tips.Leon Neal | Getty Images reader comments 305 withĪlready smarting from a breach that put partially encrypted login data into a threat actor’s hands, LastPass on Monday said that the same attacker hacked an employee’s home computer and obtained a decrypted vault available to only a handful of company developers.Īlthough an initial intrusion into LastPass ended on August 12, officials with the leading password manager said the threat actor “was actively engaged in a new series of reconnaissance, enumeration, and exfiltration activity” from August 12 to August 26.We recommend changing any high value passwords stored within LastPass within a reasonable timeframe and enable multi-factor authentication on them where possible as well.Never provide your master password (or any password) to anyone, if anyone asks you for it contact OIT Security immediately.Whether you use a personal LastPass account, or the UCI-provided LastPass Enterprise account, we recommend you change your LastPass master password to a new unique value that is at least 12 characters long, the longer the better.A strong master password (see password strength resources below) should make it very difficult and take a very long time to crack any stolen encrypted vault, however practicing due diligence is always a good idea. ![]() Since the threat actor also obtained customer names and email addresses, there is increased risk of them sending phishing messages to trick you into giving them your master password.LastPass also revealed that the website URL is not encrypted within the vault, only the username, password, and notes fields are.Since the threat actor has an offline copy of the encrypted vault, UCI multi-factor authentication would not protect against such brute-force cracking.While the stolen password vaults are encrypted with each user’s master password, there is a possibility the master password could be cracked and decrypted over time via brute-force methods, with master passwords that are shorter in length being more vulnerable.We don’t know if a subset or all of their customers are affected, but we are assuming the worst case scenario.Yesterday, LastPass unexpectedly announced that customer information (company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses) and encrypted password vaults were stolen. At that time, they reported no impact to customer information and no impact to customer password vaults. LastPass, the provider of a password manager & vault security product used by some at UCI, experienced a cybersecurity incident in August of this year. Update : LastPass provided more technical details about the incident and more recommendations to take, see more information below. ![]()
0 Comments
Leave a Reply. |