LastPass password manager has been hit by a data leak

It is one of the main services – super sensitive – that allows you to protect your passwords on the Internet to find them quickly, from a smartphone or a computer: the LastPass password manager has suffered a major data breach, the company announced in aNew Blog Post Published Thursday, December 22nd It was signed by its Chairman and CEO, Karim Touba.

The first breach, reported in August, allowed hackers to recover technical information. Thanks to them, at the beginning of December, they were able to target one of the company’s employees in order to recover a username, password and encryption key that opens access to LastPass computer backups, which are hosted by Subprocess. Initially Reassuringthe American company changed its tone and advised its users to be careful.

In fact, hackers have sucked a portion of these backups, which contain information provided by customers. Among the personal data retrieved are a surname, first name, address, telephone, email, IP address – the device identification number used to connect to the Internet – and optionally, a company name. Unfortunately, LastPass does not say how many users were affected by this leak.

This data is valuable to hackers because it can facilitate phishing schemes (phishing) aims to extract more sensitive information from LastPass clients. In this regard, the company warns its users that it will never contact them to ask them for the master password, which they use to unlock the LastPass app. Also, it will not call, email or send its customers an SMS asking them to click on a link confirming their personal information.

Passwords remain encrypted

According to the American company, the passwords of its customers have also been sucked. However, unlike the personal information mentioned above, this data remains protected by strong encryption, AES 256-bit (for Advanced encryption standard Advanced Encryption Standard). LastPass claims that it will be very difficult for hackers to crack the AES barrier to gain access to a list of passwords stored by its customers. The company, backed up in this investigation by cybersecurity firm Mandiant, warns that some of the companies that use its services choose another encryption scheme for their LastPass accounts, which is likely to be less strong.

To be able to open this cipher and access the list of customers’ passwords, it is necessary to know their master passwords. However, according to the CEO of LastPass, the hackers were unable to retrieve it because only customers would know about this precious sesame – a security measure known to experts as “ Zero knowledge architecture “.

However, hackers can find a particularly sensitive password in various ways, in particular by applying the brute force method, which consists in trying all possible combinations. According to LastPass, it is the strength of a master password that determines its resistance to attacks. However, some users have chosen that it is shorter and less complex than others. The master password’s security can also be compromised if its clients use a password for it that has already been used elsewhere. If so, it might have been hacked by another team of hackers and then sold to the perpetrators of the LastPass attack.

The company recommends that users who question the strength of their master password change it, and then replace all passwords stored in the encrypted memory of their account. A process that can take many hours, depending on the number of passwords stored by users.