The first computer attack took place in August 2022, although its scope was very limited, and only some internal files (source code, among other things) were obtained from these servers. Or, at least, that was thought. At the end of November, the LastPass servers were again compromised in a much larger attack, which could be carried out thanks to inside information obtained during the first attack (some vulnerability discovered in the code, certificates, etc.) .
The attack last November was much larger and more difficult to detect. Of course, in the first instance it was revealed that the user data had not been compromised in any way, so there was nothing to worry about. Today, the company changes its version, and yes, the attack has been much more serious than initially thought.
User data is at risk
In a new post on the LastPass blog, the company claims it has found evidence that the attacker, or attackers, who carried out this hack managed to download a copy of the entire customer vault. Both encrypted data and unencrypted data can be found in this backup. Among the unencrypted data that has been found we can highlight, for example, saved URLs, company names, billing addresses, telephone numbers or IP addresses, among other things. And, among the encrypted data, there are saved usernames and passwords in this service.
The encrypted data, in theory, is securely protected, since it has 256-bit AES encryption. LastPass did not store the master password, so attackers cannot get it and use it to decrypt the data. But they can force it (in case users used strong passwords) or use brute force to find it, dangerous if the victims were in the habit of reusing passwords.
The only data that has not been compromised is that of the payment cards, since they were not fully stored in LastPass.
What can I do now
Of course, hackers have found a real treasure. Not just for the large amount of personal data that are not encrypted and that are already in their possession, but by strong, reliable, and secure passwords that work which are also in his possession, although they will be encrypted. Now, the hackers’ goal is to find a way to break the 256-bit AES encryption and gain unlimited access to all these passwords to probably sell them online. How easy, or difficult, this is just depends on the password the user used.
If we were LastPass users a few months ago, surely our data is already in the hands of hackers. And, although we can no longer do anything for them, what we can do is change master password used in service change all passwords of all the sites that we have saved on this platform and, in addition, pay close attention to the emails, messages and communications that may reach us, since the unencrypted data can be used for phishing.
