Millions of LastPass users may be at risk after a major breach of the home computer of one of their top employees. This employee was only one of four people in the company with access to their corporate vault. The breach may have come through a home Plex media account, according to Ars Technica, and appears to have been perpetrated by the same hackers who breached LastPass security on a smaller scale last August. At about the same time, Plex’s security was also breached.
LastPass is a program that allows you to store multiple passwords in a single account accessed by a single password. So by getting the keys to the kingdom at LastPass, the hackers may have gotten the keys to the kingdom of millions of users as well.
Chrome’s blurb for this browser add-on gives some idea of the risks users face. “LastPass, an award-winning password manager, saves your passwords and gives you secure access from every computer and mobile device. LastPass puts you in control of your online life – making it easy to keep your critical information safe and secure so you can access it whenever you want, wherever you are. Save all your passwords, addresses, credit cards, and more in your secure vault, and LastPass will automatically fill in your information when you need it.”
According to LastPass, “The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA (Multifactor Authorization), and gain access to the DevOps engineer’s LastPass corporate vault.” According to their report hackers got, “decryption keys needed to access the AWS S3 (Amazon Web Service) LastPass production backups, other cloud-based storage resources, and some related critical database backups.”
Two months ago, Last Past said that in their previous hack, the perpetrators had obtained both encrypted and plaintext data from their customer vault and the ability to copy customers’ encrypted data.
Related: TikTok and Spy Balloons: Unguarded America Provides No Resistance to China
While hackers usually wait for up to two years before attempting to access personal accounts that have been breached, there is little to be gained by waiting. For LastPass users, it may be time to switch up your passwords. A word to the wise is sufficient.
Unrelated is another reminder of how vulnerable online data can be. There was a major ransomware hack of the U.S. Marshals Service last week. Data collected includes returns from legal processes, information on people being investigated, fugitives, and some employees. There is no word on whether the ransom was paid. But the information would be of more than passing interest to criminal elements at home and around the world.
Join the conversation as a VIP Member