LastPass data breach: notes and actions to take.

Password manager LastPass has been victimized in a data breach that included customer data, including password vaults.

A late summer breach at LastPass.

SecurityWeek reports that the breach occurred in August of last year, when hackers got into the LastPass network and returned later to hijack customer information. The threat actor is said to have copied a backup of customer vault data, which is said to contain “both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data,” LastPass CEO Karim Toubba said. HackRead reports that the threat actor also stole technical data and source code from the development environment.

Criticisms of LastPass disclosure.

Almost Secure discusses the LastPass breach and disclosure, speculating that the near-holiday time of disclosure was not coincidental. Rather, thinks Almost Secure, it may have been intentional to keep news surrounding the incident low. The disclosure, Almost Secure says, seems like LastPass’s attempt to minimize potential litigation risk, while also preventing drawing attention to themselves and causing a public outcry.

Implications for organizations and individuals.

Which says that LastPass customers should ensure that their master password isn’t used elsewhere, and is more complex than the passwords they customarily use, as LastPass doesn’t store master passwords and asserts that only “brute force” will allow threat actors access to users’ master passwords. “LastPass does not know users' master passwords and they are not stored or maintained by LastPass. If you're a LastPass user, only you know your master password. The company describes this as its 'zero knowledge architecture',” Which explains, saying that the information can only be decrypted with encryption keys derived from master passwords. The company also recommends changing passwords on websites that had stored passwords through the manager.