Phishing is an online attack that aims to steal user data, including login credentials and credit card numbers. It happens when an attacker impersonates a trusted entity and misleads a victim into opening an email, instant message, or text message.
LastPass is the world's most popular password manager, but unfortunately recently had an alarming data breach. LastPass can reassure that even though user's plaintext passwords were not accessed, the following explains what was:
The hackers also got LastPass user's encrypted passwords for each stored login. The encryption protection is strong so if the master password the user used for LastPass is also strong; there should be no issues. However, there was no evidence that unencrypted credit card data was accessed as LastPass does not store complete credit card numbers and credit card information.
Despite no card information being obtained, the plaintext information stolen (listed above) benefits a hacker as it can allow them to start phishing. It will enable them to target a potential victim using information not known to the general public.
For a prime example, with a list of the websites that someone logs onto, a phisher can make specific phishing emails that pretend to be from that website when instead it is the hacker themselves. It has to be believable for it to work, so it could include the user's name, telephone number, and email address. Every bit of detail adds to the false legitimacy of the email. Each included detail increases the percentage of people who will become victims.
Knowing people's phone numbers is another way the hacker can also make them more vulnerable to fake tech calls and cold calling. If a postal address is also included within the website they log into, they could also receive written scams within the post.
In response to the incident, LastPass eradicated any further potential access to the system by decommissioning the environment that was breached and rebuilding it in a new environment from scratch. They also replaced and strengthened developer machines, processes, and authentication procedures.
In addition, they have added additional logging and alerting capabilities to help detect any further unauthorized activity, including a second line of defence. The rotation of relevant credentials and certificates that may have been affected has also been implemented to ensure security. LastPass is also performing extensive analysis of every account with signs of any suspicious activity within their cloud storage service, adding additional safeguards in the cloud and currently analysing data to understand what the threat actor accessed.
In summary, if your LastPass password was at least 12 characters long (LastPass default currently), contained some form of complexity, wasn't an easy-to-guess, and was not used on any other site or service, then you're okay. If this is not what you have done, you need to immediately change all your passwords, including both the LastPass master password and all the passwords you stored in LastPass. It is a crucial habit to make sure every password is difficult to work out.
If you or your company have been a victim of hacking via phishing, please don't hesitate to get in touch with us to find a solution that can help prevent issues in the future. Call us on 0345 313 1111 or email us at email@example.com