Popular password manager application LastPass announced today that “vaults” containing sensitive information such as passwords of users were stolen in previous security vulnerabilities that occurred this year. On the other hand, the fact that this statement came months later drew attention.Safe with user passwords stolen
In the news we gave you before, we mentioned that LastPass was hacked in August, and then at the end of November, an attack took place again with the information obtained from the previous attack, and “certain elements” of user data were accessed. LaspPass did not openly say what data of users was stolen back then… Until now.
Today, LastPass CEO Karim Toubba revealed in a blog post shared that attackers stole a backup of customer vault data using previously stolen cloud storage keys. The cache of customer password vaults is stored in a “proprietary binary format” containing both unencrypted and encrypted vault data, but the technical and security details of this proprietary format are not specified. It’s also unclear how up-to-date the stolen backups are.Still, the company claims you can be safe if you have a strong master password. However, if you have a weak master password, the company says, “as an extra security measure, you should consider minimizing the risk by changing passwords for websites you keep.”
Toubba said that as a result of the attacks, a large amount of customer data was also compromised, including users’ names, email addresses, phone numbers and some billing information.
Are LastPass password vaults secure?
According to LastPass, encrypted data is secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password. LastPass also states that this master password is not stored on their servers and the company cannot see this password.
According to LastPass, the stolen password vaults contain all the password information of the users, but they are very difficult to crack and it will take millions of years to guess the master password with traditional methods.
In light of all this information, it’s a mystery why LastPass didn’t share this highly critical information in November or as a result of the August attack. Reactions to LastPass, which is used by more than 33 million people and 100,000 businesses worldwide, have also intensified. On the other hand, if you are a LastPass user and use weak passwords, we recommend that you update them and, if possible, use two-step verification wherever you have a subscription.
25525
