Experts in cybersecurity, software programming and fintech have been discussing the topic after two days ago when Lastpass revealed that hackers had gained access to their accounts by breaching security earlier in the year. The company said that an “unknown threat actor” had accessed the cloud-based storage environment and was also able to copy a backup copy of customer vault data.
Lastpass Report Indicates a “Threat Actor” Was Able To Copy Backup Data
On December 22, 2022, Lastpass revealed that an “unknown threat actor” had compromised their cloud-based storage environment in August 2022. Following the news, a topical discussion has been taking place across social media and forums as this is a popular method to reach out to large groups of people. Some believe that the situation “may be worse than what they are letting on.”
LastPass hackers now have full access to passwords stored on websites, as well as blobs encrypted with your master password https://t.co/Wdbt6mWe8C https://t.co/HldcJ8DYkK
— SwiftOnSecurity (@SwiftOnSecurity) December 22, 2022
Lastpass claims that encryption data is protected with 256-bit AES encryption and that only the master password of each user can decrypt the information. Lastpass does not store or maintain the master password and is not able to access it.
The proprietary binary format also contained sensitive fields and unencrypted information, such as URLs to websites. Usernames will be fully encrypted, passwords, secure notes and data entered in forms are also protected.
Lastpass Security Guarantee Not Convincing to Critics
Despite this assurance, a variety of reports indicate that the situation is far worse than Lastpass is letting on. Andrew Heinzman, writing for Reviewgeek.com, states that “you should stop using Lastpass.” He goes on to say that even with a strong master password, there is still a chance of hackers stealing some information. Udi Wertheimer, a crypto supporter, also warned that “the attackers probably have a copy of your vault.” Both Heinzman and Wertheimer advise that users stop using Lastpass.
After a number of stolen crypto wallets have been drained and stolen, the system is immediately hacked
“Be your own bank”
If If you want to make my money geeks happy, nah visit a brick and mortar establishment
— Gainzy (@gainzy222) December 24, 2022
A Twitter user claiming to be an engineer for the company seven-years ago also said that Lastpass’s noncompliance is a big problem. “This is the worst breach Lastpass has ever had, by far,” they said. “The key difference is that this time client vaults were accessed, which are kept in a completely separate database.”