KUALA LUMPUR, Feb 13 — Password managers are highly recommended to keep your online logins safe. Besides having unique passwords for each login, a password manager also makes it easy for you to log in across multiple devices and platforms. However, if you’re using LastPass, you might want to take action now as your data could be at risk following a massive data breach.
As reported by CNET, LastPass acknowledged a security incident back in December 2022. At the time, it said that no customer data was accessed despite some source code and technical information were stolen from their development environment. However, LastPass has said that the threat actor managed to copy a backup of the customer vault data from the encrypted storage container which contains both unencrypted and fully-encrypted sensitive data. It added that the encrypted fields remain secured with 256-bit AES encryption.
LastPass said it’s possible that the threat actor may attempt to use brute force to guess users’ master password but it will be difficult if users follow their best practices. The password manager platform said it may take millions of years to guess your master password if the default settings are followed.
What’s worrying is that the unencrypted data includes LastPass usernames, company names, billing addresses, email addresses, telephone phone numbers and IP addresses. It also warned that these threat actors may target customers and attempt to get access through social engineering and phishing attacks.
If you’ve been using LastPass, it is recommended that you immediate proactive steps to safeguard your online credentials. The first thing you should do is change the master password. Next, you should also gradually reset the password for all platforms that utilise LastPass, starting with crucial platforms such as online banking and primary communications and social media accounts. You should also enable Two-factor authentication (2FA) for all platforms whenever possible as an added security precaution.
As always, be alert of any emails or instant messages asking you to login. Do not click on links from emails and messages, and it is best to login through the official website or apps, to avoid potential phishing attacks.