An unnamed individual from the U.S. state of Pennsylvania claims he lost $53,000 in Bitcoin due to a compromised password stored on the company’s customer password vault. Even after deleting his data from the company after finding out about the August breach, he claims his BTC was stolen. “Not only has this statement not been verified through discovery, but it is also a shameless attempt by LastPass to shift the blame of the Data Breach’s resulting negative impact on Plaintiff and Class members,” the individual stated. The lawsuit undoubtedly brings into question the legitimacy and safety of LastPass and its user master passwords. In an eyebrow-raising update related to a data breach earlier this month, LastPass revealed that hackers were able to obtain a copy of customers’ password vaults. The malicious actors swiped LastPass’s cloud storage keys from an employee to access and decrypt stored data, according to a company blog post on the incident. LastPass said the actor accessed customer account information and certain related metadata, including company names, end-user names, billing and email addresses, phone numbers, and IP addresses used to access the password manager. LastPass is a service that allows customers to easily store, manage, and auto-fill passwords onto websites. They do so by using a master password to unlock the service. While the company states it does not know or store master passwords, it said the incident opens up the possibility for malicious actors to pry away master passwords from the customers themselves through a variety of cybercriminal schemes.
Hackers May Attempt Brute Force Attacks to Steal Master Passwords
LastPass warned customers that threat actors might attempt brute force attacks in order to steal their master passwords. The actors stole customer vault data from an encrypted storage container, which stored the data in a proprietary binary format. The data includes both unencrypted and fully encrypted sensitive data, which includes website usernames and passwords, secure notes, and form-filled information. The unencrypted data includes website URLs, which refer to the websites where users use the password manager. However, LastPass stated that it would not be easy for a threat actor to obtain customers’ master passwords via brute force. “Because of the hashing and encryption methods we use to protect our customers, it would be extremely difficult to attempt to brute force guess master passwords for those customers who follow our password best practices,” LastPass CEO Karim Toubba said in a statement. “We routinely test the latest password cracking technologies against our algorithms to keep pace with and improve upon our cryptographic controls,” Touba added.
LastPass Urges Customers to Watch Out for Phishing Attacks
Apart from brute force, LastPass said cybercriminals could target its customers with phishing, credential-stuffing, and social engineering attacks. They may also attempt brute force attacks against other online accounts that customers may use. “In order to protect yourself against social engineering or phishing attacks, it is important to know that LastPass will never call, email, or text you and ask you to click on a link to verify your personal information,” Toubba added. “Other than when signing into your vault from a LastPass client, LastPass will never ask you for your master password.” The threat actor reportedly used information from an August data breach to target the LastPass employee. At the time, LastPass stated the breach did not result in any customer information being stolen. However, the threat actor combined information from the two breaches to execute this worrying cyberattack. LastPass recommends that its business users implement its Federated Login Services. It has notified vulnerable Business customers, approximately 3% of its users, to take certain actions to protect themselves. We recommend reading LastPass’s complete statement to learn more about the incident and possible security interventions, as well as learn more about the platform’s encryption technology. This episode is a reminder that everyone should maintain high-standard cyber hygiene to protect their devices and private information. You can check out some of our resources to help create secure passwords and check out our rundown of the most secure password managers on the market, a list that LastPass didn’t make.