On Thursday, LastPass, the password manager, revealed that hackers had accessed and copied an encrypted backup of data, including customers’ passwords.
According to the company, users of LastPass who have a weak master password— one that may be linked to their email address or phone number on another service— may need to change all of their passwords.
A threat actor may try to access your account by using dumps of compromised credentials that are already available online, according to LastPass CEO Karim Toubba, who described so-called credential stuffing attacks.
The company made the announcement after revealing an August incident in which some technical and source code data were taken from our development environment and later used in the most recent attack.
The threat actor was then able to access the decryption keys for LastPass cloud storage and dual storage containers because the information from the first attack was used to support the second attack, indicating that it was the same person or group responsible for both.
The attackers were able to copy the backups that LastPass keeps of its customers’ unencrypted account information, including company names, end-user names and billing addresses, email addresses and phone numbers, as well as the IP addresses from which customers were accessing the service, which is what has worried onlookers the most.
Additionally, the threat actor had access to secure notes, form-filled data, and fully encrypted sensitive fields like website usernames and passwords. Its blog post stated in bold text that these encrypted fields are protected by 256-bit AES encryption and require a special encryption key to be decrypted.
Visit Our Other Website PSJ.
LastPass’ encryption and hashing techniques, according to Toubba, would make it “extremely difficult” for the threat actor to “braine force” guess master passwords. This is the act of guessing a password by creating every possible key, including the letters “aaAAAAA, AaAaB, and AAAAC,” etc. until one of them succeeds.
There are numerous keys that could be used with AES-256, 2 to the power of 256. It would take hackers using today’s technology an absurdly long time to brute force a key that size, as this explainer from the 3blue1brown YouTube channel demonstrates.
Although some attacks have been made against incomplete implementations, there are no publicly known attacks that would allow someone to brute force the key for material encrypted with a full implementation of the 256-bit AES( Advanced Encryption Standard) in less time.
A successful attack gives access to all of a user’s stored passwords, according to the National Cyber Security Centre( NCSC) of the United Kingdom, making password managers an easy target for someone attempting to access your accounts without authorization.
Despite this risk, NCSC still advises using password managers as long as the service satisfies technical requirements, such as blocking attackers’ access to the decryption key.
According to Toubba, LastPass never knows the master password and neither stores nor maintains it. Only the local LastPass client is used for data encryption and decryption.
Customers who use LastPass’ default settings, such as using a special master password with at least twelve characters, are not required to take any further action, according to the blog post. However, those with weaker passwords— including business clients who do not use LastPass’s federated login services— were advised to think about lowering risk by changing the login information for stored websites.