Telstra hit by data breach just two weeks after attack on Optus
TLS.AX revealed a tiny data compromise on Tuesday. Telstra says an intrusion...
The LastPass data breach experienced in August and November 2022 compromised sensitive customer information.
LastPass explained in a statement that a malicious actor stole source code and technical information from the company’s development environment in August and used it to target an employee. This gave the hacker access to credentials and keys, which they used in November 2022 to access LastPass’ third-party cloud storage service. The malicious party was able to decrypt some storage volumes within the storage service by using the keys.
After decrypting the information, the hacker accessed and copied information stored on a cloud-based backup, including “basic customer account information and related metadata” such as company names, end-user names, billing addresses, email addresses, telephone numbers and the IP addresses from which customers were accessing the LastPass service.” The number of affected customers has not yet been disclosed.
LastPass explained that the hacker was also able to “copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs”, as well as “fully-encrypted sensitive fields such as website usernames and passwords, secure notes and form-filled data”.
The password management company reassured their customers regarding the security of their encrypted data by noting that all encrypted files remain “secured with 256-bit AES encryption,” requiring a unique encryption key derived from each user’s password in order to decrypt them. As LastPass does not know, store, or maintain user master passwords, the likelihood of a compromise is decreased.
In response to the attack, LastPass warned its customers to be wary of social engineering and phishing attacks. It was also noted that while the company uses hashing and encryption to protect customer data, malicious actors may use brute force to guess customers’ master passwords and decrypt copies of the vault data they stole.
If customers adhere to the default settings and best practises for master passwords, it would “take millions of years to guess [a] master password using generally-available password-cracking technology,” according to the company. Those who do not adhere to these best practises were advised to change the passwords for the websites currently stored in their LastPass account.
LastPass informed its customers that “sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass’ Zero Knowledge architecture” and that no additional actions were recommended.
Catch all the Sci-Tech News, Breaking News Event and Latest News Updates on The BOL News
Download The BOL News App to get the Daily News Update & Follow us on Google News.