Did you hear it? repeated: You need to use password managerr to generate strong, unique passwords and keep track of them for you. And if you do eventually decide to go with a popular and free option, especially in the 2010s, it could be LastPass. However, for the 25.6 million users of the security service, the company has done An ominous announcement on December 22: A security incident the company previously reported (on November 30) was actually a massive and disturbing data breach that exposed an encrypted password vault—the gem of any password manager—along with other user data.
The details LastPass provided about the situation a week ago were disturbing enough that security experts quickly began urging users to switch to other services. Up to now, nearly a week since the announcement of the information, the company has not provided more information that makes customers confused and worried. LastPass did not return multiple WIRED requests for comment on the number of password vaults that were compromised in the breach and the number of users affected.
The company didn’t even clarify when the breach occurred. It looks like it happened sometime after August 2022, but the timing is crucial, because one big question is how long it will take for attackers to start “jailbreaking” or guessing keys. used to encrypt stolen password vaults. If the attackers had three or four months with the stolen data, the situation is even more urgent for affected LastPass users than if the hackers had only a few weeks. The company also did not respond to WIRED’s questions about what it calls a “proprietary binary format” it uses to store encrypted and unencrypted vault data. To describe the scale of the situation, the company said in its announcement that hackers “were able to copy a backup of a customer’s vault data from an encrypted storage container.”
Evan Johnson, a security engineer who worked at LastPass more than seven years ago, said: “In my opinion, they are doing a world-class job of detecting incidents and a really, really bad job of transparently preventing issues and feedback. “I will be looking for new options or would like to see a renewed focus on building trust over the next few months from their new management team.”
The breach also included other customer data, including names, email addresses, phone numbers and some payment information. And LastPass has long been criticized for storing its vault data in a hybrid format where items like passwords are encrypted but other information, like URLs, are not. In this situation, plaintext URLs in a vault can give attackers an idea of what’s inside and help them prioritize which vaults should work to crack first. Vaults, protected with a user-selected master password, pose a particular problem for users looking to protect themselves after a breach, because changing that master password right now with LastPass will do nothing to protect the data in that vault. was stolen.
Or, as Johnson put it, “with the vaults restored, those who hacked LastPass have unlimited time for offline attacks by guessing passwords and trying to recover users’ master keys.” Specifically.”
