Hackers copied a backup of customer vault data, admits LastPass

The threat actor may also target customers with phishing attacks, credential stuffing, or other brute force attacks against online accounts associated with "your LastPass vault".

New Delhi: Encrypted password manager LastPass has admitted that hackers were able to “copy a backup of customer vault data,” in a recent data breach.

LastPass is a freemium password manager that stores encrypted passwords online.

In a statement, the company said that the threat actor “was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data”.

It means that the threat actor may attempt to use brute force to “guess your master password and decrypt the copies of vault data they took”.

The threat actor may also target customers with phishing attacks, credential stuffing, or other brute force attacks against online accounts associated with “your LastPass vault”.

“In order to protect yourself against social engineering or phishing attacks, it is important to know that LastPass will never call, email, or text you and ask you to click on a link to verify your personal information,” the company added.

The company recommended its users to never reuse master passwords on other websites.

“If you reuse your master password and that password was ever compromised, a threat actor may use dumps of compromised credentials that are already available on the Internet to attempt to access your account,” said the company.

Earlier this month, Karim Toubba, the CEO of LastPass, admitted its systems were compromised for the second time this year.

The company detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo.

The earlier security breach in August this year had allowed hackers internal access to the company’s systems for four days until they were detected and evicted.

Back to top button