This well-known password manager experienced one of the biggest data leaks. Although, from the beginning, they assured users that their passwords were safe. The truth is that the attack they suffered in August of last year has been worse than they expected. More than anything, because the computer attacker has managed to access user information.
This option was one of the best-known alternatives so that users could safely store each of their passwords. However, since the hack he suffered, things have changed. Especially since they even managed to steal the password vault. However, you already know which method was used.
How the passwords were stolen
At first, after beginning the investigation of everything that had happened, after realizing the security breach. From LastPass, they ensured that there was no evidence that the hacker had been able to access his data or the encrypted password vault.
However, months later the worst was confirmed, that indeed, the cybercriminal had managed to download a copy of the entire vault they kept. But how was it achieved? We already know. The LastPass password theft was made possible by the attacker by gaining access to an employee’s PC. To be more exact, the hacker gained access to the DevOps engineer’s corporate LastPass vault.
In this way, the attacker was able to export all of the native LastPass vault and the contents of the shared folders that this employee had on his PC. In them, one could find some ‘encrypted secure notes with access and decryption keys needed to access AWS S3 LastPass production backups’.
So we’re talking about the hacker being able to break right into LastPass and steal a lot of important data, without password manager security being able to do anything about it.
LastPass encrypted data
However, as we already saw in December of last year, when LastPass claimed that the stolen encrypted data was still safe, since it has 256-Bit AES encryption. The truth is that the case in general does not look good for the manager, since cybercriminals have taken a large part of important data.
Everything will depend on whether we really trust LastPass. Since, as they have stated, it can only be decrypted with a master password, which is not stored in their database. So they couldn’t get it. However, the hacker did manage to get hold of the master password of this affected employee.
Therefore, if they manage to break the 256-bit AES encryption, the master password used in LastPass will have to be changed, in addition to all the passwords of the different sites that we have been managing with this particular platform. So you will have to pay close attention if you are going to continue using this manager.