Update 2 on December 23, 2022:
Naked security has This article detailing their views on the LastPass breach and admitting that encrypted vaults were stolen. They have some helpful comments and insights. This got CyberHoot thinking some more…
We stored our credit card information in LastPass for filling out the ease of use form. Will we cancel and reissue our credit cards? If I speak now personally, I will not. My master password was so long and complex that the cracking effort required accordingly The site’s password strength meter Was: 7 quadrillion years wow! that’s a relief.
December 23, 2022: CyberHoot Update LastPass Breach:
LastPass released new information about their latest breach notification from November 30th, where their monitoring detected a new breach (related to the August breach). In this 12/22/2022 update they admit they believe 256-bit AES encrypted client password vaults have been stolen from the third party. This is the first time they have acknowledged that customer data is at risk. Here is their opinion on the situation:
December 22, LastPass blog update:
“If you use the default settings above, it will take millions of years to guess your master password using commonly available password cracking technology. Your sensitive vault data, such as usernames and passwords, secure notes, attachments, and form fill fields, remain securely encrypted based on the Zero architecture LastPass Knowledge There are no recommended actions you should take at this time.
However, it is important to note that if your master password does not use the above defaults, then this will significantly reduce the number of attempts needed to guess it correctly. In this case, as an additional security measure, you should consider minimizing risks by changing the passwords of websites you have stored.”
So, what does this mean for any LastPass users out there, or for companies that have deployed LastPass to their users? A lot of work actually.
