It is one of the main services – ultra-sensitive – that allow you to protect your passwords on the Internet to find them quickly, from a smartphone or a computer: the LastPass password manager has been the subject of a major data breach, the company announced in ane blog post published Thursday, December 22 and signed by its Chairman and CEO, Karim Toubba.
A first breach, reported in August, had allowed hackers to recover technical information. Thanks to them, at the beginning of December, they were able to target an employee of the company in order to recover a username, a password, and an encryption key opening access to the computer backups of LastPass, hosted by a sub- treating. Initially reassuringthe American company has changed its tone, advising its users to be careful.
The hackers, in fact, sucked up part of these backups, which housed information provided by customers. Among the personal data retrieved are their surname, first name, address, telephone, e-mail, IP address – the identification number of the device used to connect to the Internet – and, optionally, the name of their company. Unfortunately, LastPass does not say how many of its users are affected by this leak.
This data is valuable for hackers because it can facilitate phishing schemes (phishing) aimed at extracting even more sensitive information from LastPass customers. In this regard, the company warns its users that it will never contact them to ask them for the master password, which they use to open the LastPass application. Also, it will not call its customers, send them an email or send them an SMS asking to click on a link confirming their personal information.
Passwords remain encrypted
According to the American company, the passwords of its customers have also been sucked. However, unlike the personal information listed above, this data remains protected by strong encryption, AES 256 bits (for Advanced Encryption Standard – “advanced encryption standard”). LastPass claims that it would be very difficult for hackers to break the AES barrier to access the list of passwords stored by its customers. The company, which is supported in this investigation by the cybersecurity firm Mandiant, warns, however, that some companies using its services are opting for another encryption system for their LastPass accounts, potentially less robust.
To be able to unlock this encryption and access the list of clients’ passwords, it is necessary to know their master passwords. However, according to the CEO of LastPass, hackers could not recover these because only customers know this precious sesame – a security measure known by experts as “ architecture zero knowledge ».
However, hackers can find this particularly sensitive password in different ways, in particular by applying the brute force method, which consists of trying all possible combinations. According to LastPass, it is the strength of the master password that determines its resistance to attacks. However, some users have chosen it to be shorter and less complex than others. The security of the master password can also be compromised if its clients have used a password for it that has already been used in other places. If so, it may have been hacked by another team of hackers and then sold to the perpetrators of the LastPass attack.
The company recommends that users who doubt the strength of their master password change it, then replace all the passwords stored in the encrypted memory of their account. An operation that can take long hours, depending on the number of passwords stored by users.