Earlier this month we told you that LastPass, one of the most popular services for securely storing passwords in the cloud, had been the victim of a second large-scale hack against its infrastructure so far this year. Although it was initially said that user data had not been compromised, let alone passwords, a thorough analysis of the hack and its scope is revealing the opposite: hackers have indeed managed to gain access to users’ private data. the users.
The first computer attack took place in August 2022, although its scope was very limited, and only some internal files (source code, among other things) were obtained from these servers. Or, at least, that was thought. At the end of November, the LastPass servers were again compromised in a much larger attack, which could be carried out thanks to inside information obtained during the first attack (some vulnerability discovered in the code, certificates, etc.) .
The attack last November was much larger and more difficult to detect. Of course, in the first instance it was revealed that the user data had not been compromised in any way, so there was nothing to worry about. Today, the company changes its version, and yes, the attack has been much more serious than initially thought.
User data is at risk
In a new post on the LastPass blog, the company claims it has found evidence that the attacker, or attackers, who carried out this hack managed to download a copy of the entire customer vault. Both encrypted data and unencrypted data can be found in this backup. Among the unencrypted data that has been found we can highlight, for example, saved URLs, company names, billing addresses, telephone numbers or IP addresses, among other things. And, among the encrypted data, there are usernames and passwords saved in this service.
The encrypted data, in theory, is securely protected, since it has 256-bit AES encryption. LastPass did not store the master password, so attackers cannot get it and use it to decrypt the data. But they can force it (in case users used strong passwords) or use brute force to find it, dangerous if the victims were in the habit of reusing passwords.
The only data that has not been compromised is that of the payment cards, since they were not fully stored in LastPass.
What can I do now
Of course, hackers have found a real treasure. Not only because of the large amount of personal data that is unencrypted and already in your possession, but because of the strong, reliable, and surely functional passwords that are also in your possession, although they will be encrypted. Now, the hackers’ goal is to find a way to break the 256-bit AES encryption and gain unlimited access to all these passwords to probably sell them online. How easy, or difficult, this is just depends on the password the user used.
If we were LastPass users a few months ago, surely our data is already in the hands of hackers. And, although we can no longer do anything for them, what we can do is change the master password used in the service, change all the passwords of all the sites that we have saved on this platform and, in addition, pay close attention to the emails , messages and communications that may reach us, since unencrypted data can be used for phishing.
