The 2022 LastPass hack saw personal data and encrypted password backups stolen. According to the latest information published by the password management company, the hackers managed to access the LastPass cloud and copy some data, including "a backup of the customer's vault data from the encrypted storage container". This safe contains sensitive information, such as passwords.
It may seem strange that the vault containing crucial information is outside the user's device. However, this is common among password managers, which often offer features such as backup (to be able to access the vault in case something goes wrong on the user's device) or synchronization (to easily access passwords on other devices, between a PC and a smartphone for example).
By examining the data in the vault, it turns out that some information was not encrypted, because it did not need special protection (for example, the addresses of the websites on which the users have an account and a registered password). However, other crucial information, such as usernames and passwords, was encrypted. According to LastPass, these encrypted items are protected with 256-bit AES encryption and can only be decrypted using a unique encryption key derived from each user's master password. LastPass emphasizes that the master password is never known to the company and is neither stored nor retained by it.
A keyless safe
In other words, the encrypted vault backup is unusable without this unique key. Although some peripheral data is exposed (such as website names), this does not allow access to the user's private space. Encryption and decryption of data is only performed on the user's device, which means that encrypted passwords remain protected.
However, it is important to note that although the encrypted passwords are protected, it is still possible that personal data was stolen during this hack. LastPass users are encouraged to change their passwords and be vigilant for suspicious activity on their accounts. Also, it is recommended to use strong and unique passwords for each account to minimize the risk of hacking.
Finally, it is also advisable to pay attention to the password managers you use and check their security and reputation, although encrypted passwords are protected.
However, it is normal to worry when sensitive data is stolen, whether it is encrypted or not. In the case of LastPass, the company quickly reacted by warning its users and implementing measures to strengthen the security of its servers. It has also made available an FAQ to answer the questions most frequently asked by users regarding this hack.
Some tips for your passwords
As a user of LastPass, or any other password manager, it is important to take certain precautions to protect your information. Here are some tips to follow:
-
Use a strong and unique master password for your LastPass account. A strong password is a combination of alphanumeric characters, symbols, and capital letters that is hard to guess and crack. It is also recommended that you change your master password regularly to strengthen the security of your account.
-
Enable two-factor authentication when possible. This helps protect your account by requiring a second proof of identity upon login, such as a code sent via text message or generated by a validator app.
-
Be vigilant against phishing and hacking attempts. Do not click on suspicious links or give your login details to untrusted third parties.
By following these tips, you can protect your sensitive information and minimize the risk of your various accounts being hacked.