This post is also available in: עברית (Hebrew)
On August 25, 2022, LastPass published an official statement notifying customers that a third-party gained unauthorized access to portions of their development environment, source code, and technical information through a single compromised developer account.
On December 22, LastPass revealed that a threat actor obtained both a backup of customer data and the customer vault data (the password databases), by using some of the information obtained in previous attacks. The customer data included customers’ names, billing addresses and phone numbers, email addresses, IP addresses and partial credit card numbers. The vault data included, for each breached user, the user’s unencrypted website URLs and site names, and the encrypted usernames, passwords, and form data for those sites. LastPass confirmed that the security lapse did not involve access to unencrypted credit card data, as this information was not archived in the cloud storage container.
According to thehackernews.com, It bears noting at this stage that the success of the brute-force attacks to predict the master passwords is inversely proportional to their strength, meaning the easier it is to guess the password, the lesser the number of attempts required to crack it.
“If you reuse your master password and that password was ever compromised, a threat actor may use dumps of compromised credentials that are already available on the internet to attempt to access your account,” LastPass cautioned. A successful decryption of the master password could give the attackers a sense of the websites a particular user holds accounts with, enabling them to mount additional phishing or credential theft attacks.
Prepared to dive into the world of futuristic technology? Attend INNOTECH 2023, the international convention and exhibition for cyber, HLS and innovation at Expo, Tel Aviv, on March 29th-30th
Interested in sponsoring / a display booth at the 2023 INNOTECH exhibition? Click here for details!