In the customer vaults, LastPass did secure usernames, passwords, secure notes, and form-filled data using 256-bit AES encryption, so they can be decrypted only with a unique encryption key derived from each user’s master password. LastPass says that the stolen data included unencrypted customer account information such as names, addresses, and phone numbers, but not credit card details. Any organization can learn from that error-if backups contain sensitive data, they should be equally protected. It also seems that LastPass may have been paying more attention to its on-premises production systems than its cloud-based backup storage. The main lesson here is that a dedicated attacker will probe all points of access into a company’s digital infrastructure- everyone must be mindful of security at all times. The attacker then leveraged information and credentials from that initial breach to target another LastPass employee’s account, where they were able to steal data from cloud-based storage that LastPass used for backup. The BreachĪccording to LastPass, the breach started in August 2022 when an attacker compromised a developer’s account.
For those who don’t use LastPass, we also discuss ways your organization can improve its online security by learning from LastPass’s mistakes and misfortunes. On the positive side, the data of users who abided by LastPass’s defaults and created master passwords of at least 12 characters in length will likely resist cracking attempts.Īlthough 1Password is the most popular password manager for Apple users, we’ve mentioned LastPass as an alternative in previous articles, so here’s what happened and how LastPass users should react. Password management company LastPass has announced that it suffered a security breach in which attackers stole both encrypted customer account data (which is bad) and customer vaults containing encrypted usernames and passwords (which is much, much worse).
0 kommentar(er)
