Lilbits: LastPass customer data stolen (included encrypted password vaults) and what you can do about it

You probably know that you should have a unique, secure password for every site you visit (unless you’re already living in the post-password world of passkeys). You also probably know that there’s no way you’re going to remember all of those unique passwords, which is why we have password managers like 1Password, LastPass, Dashlane, Bitwarden, or the built-in solutions for Google Chrome, Firefox, and other browsers.

Unfortunately while cloud-based solutions make life easier by ensuring that you have access to your passwords across a range of devices, cloud-based password management services are a tempting target for hackers… and one of the world’s most popular password managers has just announced that hackers have stolen a massive archive of customer data.

LastPass says that an unauthorized party accessed its servers in August (we already knew that). At the time LastPass says “no customer data was accessed,” but the hacker did get some source code and other information… and those were used in a later attack that allowed the hacker to gain access to “some storage volumes within the cloud-based storage service.”

In a nutshell, a hacker made off with “a backup of customer vault data.” The good news is that the most sensitive data (your passwords) are encrypted and LastPass doesn’t even keep a copy of your master password. So if you have a unique, secure password that you use for LastPass, it should theoretically take “millions of years” for the hackers to use a brute force attack to break into your vault.

The bad news is that new techniques for brute force attacks are appearing all the time, folks who may have had not-as-secure-as-they-should-be passwords might be less safe, and LastPass has a habit of minimizing the damage done in security incidents like this. So I wouldn’t blame LastPass users for being a little bit panicked at the moment.

Fortunately there are some steps you can probably take to minimize your vulnerability moving forward:

• If you’re not already using multi-factor authentication with your LastPass account, turn it on now.
• Changing your LastPass master password probably won’t help protect you from the current breach – hackers have a backup of your data that can be unlocked with your current (or old) password. But if you don’t have a unique 12-digit or longer password yet, you should probably choose one now to help protect yourself from future attacks.
• What you may want to do is change some or all of the passwords for third-party sites and services that are stored in your LastPass account. At a minimum, I’d recommend changing your passwords for bank accounts, online stores, or any other sites that have your financial data including bank account numbers, credit card numbers, or other information that could be used to drain your bank accounts or rack up credit card debt.
• Fortunately LastPass has an Auto Change Password feature that may speed up the process. For sites that don’t support automatic password changes, you can follow the instructions for changing your passwords manually.
• You may be thinking now is a good time to stop using LastPass altogether and switch to another password management system. Just keep in mind that even if you do that, you may want to change some of your existing passwords before migrating, as simply cancelling your LastPass account won’t protect you from a hacker who may be able to brute force their way into your backup if it still contains your current passwords.

Here’s a roundup of recent tech news from around the web, including a few stories that aren’t about LastPass.

Hackers stole a backup of LastPass’s customer vault data[LastPass]

This includes both encrypted data such as usernames, passwords, and secure notes, and unencrypted data like website URLs.

The breach has been widely covered by tech news sites in the pat 24 hours. Here are some other articles that may provide more details, context, and advice:

• LastPass users: Your info and password vault data are now in hackers’ hands [Ars Technica]
• Lastpass: Hackers stole customer vault data in cloud storage breach [Bleeping Computer
• The Lastpass hack was worse than the company first reported [Engadget
• LastPass Hack Gets Worse: Culprit Stole Customers’ Encrypted Password Vaults [PCMag]
• LastPass admits attackers have a copy of customers’ password vaults [The Register]
• LastPass says hackers stole customers’ password vaults – It’s time to start changing your passwords [TechCrunch]
• Hackers stole encrypted LastPass password vaults, and we’re just now hearing about it [The Verge]

Emulating an iPod Touch 1G and iPhoneOS 1.0 using QEMU [Martijn de Vos]

This emulator image runs iPhoneOS 1.0 build 3A101a, the first firmware Apple ever released for its iPod touch. The emulator runs a bootloader, kernel, and Springboard software to render the iOS home screen and other apps. The developer says “all hardware components” needed to do that are functional, but there are some features that aren’t yet supported including audio devices, the graphics processor, video encoder and decoder, and USB OTG device. So it’s still very much a work in progress. But it’s still a very impressive feat of reverse engineering.

Custom-built #LEGO brick with a #RaspberryPi RP2040 MCU and an OLED display.https://t.co/iMzIUfsBND

— CNX Software (@cnxsoft) December 23, 2022

4.2-inch tri-color #epaper display with an open-source hardware #ESP32 control board designed with #Kicad. #arduino #micropython #electronics https://t.co/bHlF3y6TIc

— CNX Software (@cnxsoft) December 23, 2022

Keep up on the latest headlines by following @[email protected] on Mastodon. You can also follow Liliputing on Twitter and Facebook, and keep up with the latest open source mobile news by following LinuxSmartphones on Twitter and Facebook.