LastPass CEO Karim Toubba has confirmed in a blog post LastPass has been hacked for the second time in 2022. The previous breach took place in August. The recent breach was discovered in December and this one is more concerning than the last one.
LastPass is a popular password management platform. It is like a secret locker where you hide all your passwords. Instead of remembering all the passwords to different services, accounts, and devices, you store all of them in a password manager and lock them up with one master password. Password managers like LastPass Passbolt have made it easier for people to have unique and difficult passwords for all purposes without having to tai their brains.
LastPass uses an on-premises datacenter to store the customer information and the sensitive data. But it uses a third-party cloud storage mechanism to backup the data and that is what has caused the issue. A threat actor has taken a copy of the backup.
Also Read – What is the Future of Passwords?
LastPass did not lose any customer data in the previous breach that was discovered in August, but it did expose some technical details and some source code. Leveraging that the hackers attacked an employee and accessed the cloud-based data storage with credentials stolen from that employee.
The incident has compromised both encrypted and unencrypted data including “basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.”
The only thing between the attacker and the password right now is the master passwords owned by the customers without which the passwords will remain encrypted. The hacker can try to bruteforce the passwords to get access to the sensitive information, therefore it’ll serve you well to change the passwords that are in LastPass.
The channels or accounts that use two factor or multifactor authentication like your Gmail account, are way more secure. Even if the attacker gained access to your email ID and password, he’d not be able to access it unless you authenticate it with your mobile device. However, the services that do not have a two factor authentication are at risk.