The password manager confirms that encrypted passwords were stolen by hackers during an attack dated last August.
And Merry Christmas. It’s probably with a bit of a clenched jaw that LastPass has uploaded a new ticket they blog clarifying his knowledge regarding a hack whose password manager was a victim this summer.
Should we be worried?
While we thought the story was closed, LastPass tells us that the publisher has new information to communicate regarding the hacking, the content of which we reported to you a few weeks ago.
During the last point made by the company, we learned that personal data had indeed been stolen but that no password was part of the lot. That’s no longer the case, reports the password manager to 30 million users today.
In his blog post, Karim Toubba, the company’s CEO, today admits that encrypted passwords have been stolen by hackers and that they are trying to decipher them. But we should not worry too much, assures the person concerned.
In essence, encrypted content is very difficult to read
To be more precise, the hackers have managed to get their hands on the safe of some users. Safe which contains in encrypted form all the passwords provided by the company’s customers. However, without the master key, only known to the user, it is impossible to access the contents of the safe.
« These secure fields are encrypted with the 256-bit AES protocol and can only be decrypted by a unique key derived from the master password that only users know. As a reminder, the master password is never known to LastPass and is not stored or operated by LastPass. “, reassures Karim Toubba.
So what if you were worried that you were among the people whose data hackers are trying to access? Unfortunately not much. As we have seen, it is very unlikely that hackers will be able to do anything with this unreadable data. On the other hand, it is possible that hackers try to phish their victims by impersonating LastPass so that their victims voluntarily give them their master password. So be particularly vigilant of the sender of any email, and do not access LastPass from a link in an email.
