CERT-In Advisory
CIAD-2022-0034
Avoiding Phishing attacks in the wake of a Data Breach of Password Manager Utility LastPass
Original Issue Date: December 27, 2022
Severity Rating: High
Overview
In recent times, a Password manager LassPass service was hit by a cyberattack leading to Data Breach. It is reported that the threat actors obtained personal information belonging to its users that include their encrypted password vaults by leveraging data leaked. The data is encrypted and the threat actor could possibly perform brute force attempt to guess the master password, or may carry out phishing, credential stuffing, or other brute force attacks against online accounts associated with your LastPass vault.
Description
It is reported that, threat actors gained access to source code and technical information from the utility¿s developer environment to target users. The threat actors reportedly utilized information copied from backup containing basic customer account information and related metadata from which users were accessing the Password manager service.
The Backup data from the encrypted storage container was stored in a binary format containing both unencrypted data (website URLs) as well as encrypted sensitive fields such as website usernames and passwords, secure notes and form-filled data.
For successful execution the threat actor may target users with a possible brute force attempt to guess the master password, or may perform phishing, credential stuffing and brute force attacks against online accounts associated with the Password manager utility.
Best Practices:
- Change your password every 60-90 days on user-level accounts. This ensures threat actors using social engineering, brute force and credential-stuffing attacks cannot use your older passwords to gain access to your systems or data.
- Always use strong passwords with a combination of alphabets (both uppercase and lowercase), numerals and special characters. It would minimize the ability for successful brute force password guessing.
- Never reuse the master password on other websites. If you reuse credentials and those credentials gets compromised, hackers can easily access your other accounts as well. The attackers may use dumps of compromised credentials that are already available on the Internet to attempt to access your account.
- Do not browse un-trusted websites or click on un-trusted links and exercise caution while clicking on the link provided in any unsolicited emails and SMSs.
- Exercise due care before clicking on link provided in the message. Only click on URLs that clearly indicate the website domain. When in doubt, users can search for the organisation's website directly using search engines to ensure that the websites they visited are legitimate.
- Keep personal information private. Threat Actors can use social media profiles to gather information and make targeted attack against you.
References
https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/
https://support.lastpass.com/help/help-i-think-my-account-has-been-compromised-lp070012
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Email: info@cert-in.org.in Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India
|