Password manager giant LastPass has confirmed that cybercriminals stole its customers’ encrypted password vaults, which store its customers’ passwords and other secrets, in a data breach earlier this year.
In an updated blog post on its disclosure, LastPass CEO Karim Toubba said the intruders took a copy of a backup of customer vault data by using cloud storage keys stolen from a LastPass employee. The cache of customer password vaults is stored in a “proprietary binary format” that contains both unencrypted and encrypted vault data, but technical and security details of this proprietary format weren’t specified. The unencrypted data includes vault-stored web addresses. It’s not clear how recent the stolen backups are.
LastPass said customers’ password vaults are encrypted and can only be unlocked with the customers’ master password, which is only known to the customer. But the company warned that the cybercriminals behind the intrusion
Zack Whittakermay attempt to use brute force to guess your master password and decrypt the copies of vault data they took.
I have moved away from LastPass after they restricted free accounts to a single device type, either desktop or mobile. The string of hacks that followed and the company’s bad practices continue to reassure me that I have made the right choice. Nevertheless, I haven’t deleted my account or any of the stored data, so it might have been affected by this breach. I use a fairly strong master password on LastPass, but that’s no guarantee that the encryption won’t be cracked eventually. It might be time to go through all those passwords, update them for critical services, and eventually remove my LastPass account altogether.
As an alternative, I have been using Microsoft Authenticator since. Initially I have started using it as a mobile app for two-factor authentication on Android, and because of its integration with Microsoft Edge. Over time the feature set expanded to password generation and syncing across multiple devices, so right now it’s almost on par with LastPass. Authenticator is also available as a Chrome extension for that browser’s many users – though it didn’t offer a Firefox extension last time I’ve checked – and it looks like you can import passwords from LastPass fairly effortlessly as well…
Post a Comment