Technologies
LastPass Issues Update on Data Breach, But Users Should Still Change Passwords
You still need to take action to protect your data even though LastPass said it hasn’t seen any threat-related activity since October.
LastPass, one of the world’s most popular password managers, suffered a major data breach in 2022 that compromised users’ personal data and put their online passwords and other sensitive information at risk.
On Dec. 22, LastPass CEO Karim Toubba acknowledged in a blog post that a security incident the company first disclosed in August eventually paved the way for an «unauthorized party» to steal customer account information and sensitive vault data. The breach is the latest in a lengthy and troubling string of security incidents involving LastPass, which date back to 2011.
It’s also the most alarming.
The unauthorized party was able to gain access to unencrypted customer account information like LastPass usernames, company names, billing addresses, email addresses, phone numbers and IP addresses, according to Toubba. That same unauthorized party was also able to steal customer vault data, which includes unencrypted data like website URLs as well as encrypted data like the usernames and passwords for all the sites that LastPass users have stored in their vaults.
In the meantime, LastPass has wrapped up an «exhaustive investigation» into the breach, according to a blog post published by Toubba on Wednesday, March 1, that updates customers on what actions the company has taken in the wake of the breach. Toubba vowed to make things right for customers and promised more effective communication going forward while adding that the company has «not seen any threat-actor activity since October 26, 2022.»
Even so, if you’re a LastPass subscriber, the severity of this breach should have you looking for a different password manager, because your passwords and personal data can still be at serious risk of being exposed. At the very least, you need to change all of the passwords you have stored with LastPass right away if you haven’t already.
What should LastPass subscribers do?
The company didn’t specify how many users were affected, and LastPass didn’t respond to CNET’s request for additional comment on the breach. But if you’re a LastPass subscriber, you need to operate under the assumption that your user and vault data are in the hands of an unauthorized party with ill intentions. Though the most sensitive data is encrypted, the problem is that the threat actor can run «brute force» attacks on those stolen local files. LastPass estimates it would take «millions of years» to guess your master password — if you’ve followed its best practices.
If you haven’t — or if you just want total peace of mind — you’ll need to spend some serious time and effort changing your individual passwords. And while you’re doing that, you’ll probably want to transition away from LastPass, too.
With that in mind, here’s what you need to do right away if you’re a LastPass subscriber:
1. Find a new password manager. Given LastPass’ history with security incidents and considering the severity of this latest breach, now’s a better time than ever to seek an alternative.
2. Change your most important site-level passwords immediately. This includes passwords for anything like online banking, financial records, internal company logins and medical information. Make sure these new passwords are strong and unique.
3. Change every single one of your other online passwords. It’s a good idea to change your passwords in order of importance here too. Start with changing the passwords to accounts like email and social media profiles, then you can start moving backward to other accounts that may not be as critical.
4. Enable two-factor authentication wherever possible. Once you’ve changed your passwords, make sure to enable 2FA on any online account that offers it. This will give you an added layer of protection by alerting you and requiring you to authorize each login attempt. That means even if someone ends up obtaining your new password, they shouldn’t be able to gain access to a given site without your secondary authenticating device (typically your phone).
5. Change your master password. Though this doesn’t change the threat level to the stolen vaults, it’s still prudent to help mitigate the threats of any potential future attack — that is, if you decide you want to stay with LastPass.
LastPass alternatives to consider
- Bitwarden: CNET’s top password manager is a highly secure and open-source LastPass alternative. Bitwarden’s free tier allows you to use the password manager across an unlimited number of devices across device types. Read our Bitwarden review.
- 1Password: Another excellent password manager that works seamlessly across platforms. 1Password doesn’t offer a free tier, but you can try it for free for 14 days.
- iCloud Keychain: Apple’s built-in password manager for iOS, iPadOS and MacOS devices is an excellent LastPass alternative available to Apple users at no additional cost. iCloud Keychain is secure and easy to set up and use across all of your Apple devices. It even offers a Windows client, too, with support for Chrome and Edge browsers.
How did it come to this?
In August 2022, LastPass published a blog post written by Toubba saying that the company «determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information.»
At the time, Toubba said that the threat was contained after LastPass «engaged a leading cybersecurity and forensics firm» and implemented «enhanced security measures.» But that blog post would be updated several times over the following months as the scope of the breach gradually widened.
On Sept. 15, Toubba updated the blog post to notify customers that the company’s investigation into the incident had concluded.
«Our investigation revealed that the threat actor’s activity was limited to a four-day period in August 2022. During this timeframe, the LastPass security team detected the threat actor’s activity and then contained the incident,» Toubba said. «There is no evidence of any threat actor activity beyond the established timeline. We can also confirm that there is no evidence that this incident involved any access to customer data or encrypted password vaults.»
Toubba assured customers at the time that their passwords and personal data were safe in LastPass’s care.
However, it turned out that the unauthorized party was indeed ultimately able to access customer data. On Nov. 30, Toubba updated the blog post once again to alert customers that the company «determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information.»
Then, on Dec. 22, Toubba issued a lengthy update to the blog post outlining the unnerving details regarding precisely what customer data the hackers were able to access in the breach. It was then that the full severity of the situation finally came to light and the public found out that LastPass customers’ personal data was in the hands of a threat actor and all of their passwords were at serious risk of being exposed.
Still, Toubba assured customers who follow LastPass’s best practices for passwords and have the latest default settings enabled that no further action on their part is recommended at this time since their «sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass’ Zero Knowledge architecture.»
However, Toubba warned that those who don’t have LastPass’s default settings enabled and don’t follow the password manager’s best practices are at greater risk of having their master passwords cracked. Toubba suggested that those users should consider changing the passwords of the websites they have stored.
On March 1, Toubba published a new blog post offering customers a lengthy update on where the situation stands, what data was accessed and what steps LastPass has taken to shore up its security. In the blog post, LastPass also offered its own recommendations on what business customers as well as individual customers should do to protect their data.
The company has completed its investigation into the data breach and said that it hasn’t detected any unauthorized activity since October, according to the blog post. Also, in response to the breach, LastPass «prioritized and initiated significant investments in security, privacy and operational best practices» and «performed a comprehensive review of our security policies and incorporated changes to restrict access and privilege, where appropriate,» according to the blog post.
What does all of this mean for LastPass subscribers?
The initial breach ended up allowing the unauthorized party to access sensitive user account data as well as vault data, which means that LastPass subscribers should be extremely concerned for the integrity of the data they have stored in their vaults and should be questioning LastPass’s capacity to keep their data safe — even considering the latest security improvements outlined by the company in its latest blog post.
If you’re a LastPass subscriber, an unauthorized party may have access to personal information like your LastPass username, email address, phone number, name and billing address. IP addresses used when accessing LastPass were also exposed in the breach, which means that the unauthorized party could also see the locations from which you used your account. And because LastPass doesn’t encrypt users’ stored website URLs, the unauthorized party can see all of the websites for which you have login information saved with the password manager (even if the passwords themselves are encrypted).
Information like this gives a potential attacker plenty of ammunition for launching a phishing attack and socially engineering their way to your account passwords. And if you have any password reset links stored that may still be active, an attacker can easily go ahead and create a new password for themselves.
LastPass says that encrypted vault data like usernames and passwords, secure notes and form-filled data that was stolen remains secured. However, if an attacker were to crack your master password at the time of the breach, they would be able to access all of that information, including all the usernames and passwords to your online accounts. If your master password wasn’t strong enough at the time of the breach, your passwords are especially at risk of being exposed.
Changing your master password now will, unfortunately, not help solve the issue because the attackers already have a copy of your vault that was encrypted using the master password you had in place at the time of the breach. This means the attackers essentially have an unlimited amount of time to crack that master password. That’s why the safest course of action is a site-by-site password reset for all of your LastPass-stored accounts. Once changed at the site level, that would mean the attackers would be getting your old, outdated passwords if they managed to crack the stolen encrypted vaults.
For more on staying secure online, here are data privacy tips digital security experts wish you knew and browser settings to change to better guard your information.
Dear citizens of Israel and kind-hearted people around the world,
From the bottom of our hearts, we wish you a Happy New Year! This holiday symbolizes hope, renewal, and faith in a better future. May the New Year bring peace, stability, and prosperity to Israel and all its residents.
We wish our beautiful country eternal prosperity, its citizens good health, and true, kind allies ready to support one another in any situation. May each of our hearts be filled with kindness and understanding.
We especially hope for the swift resolution of all suffering caused by conflicts and challenges. Let every person held captive return home as soon as possible—alive, healthy, and surrounded by the love of their family.
May this New Year be a year of unity, peace, and new achievements for Israel and the entire world. May each day be filled with light, joy, and success.
Happy New Year, dear friends!
Sincerely,
Verum World
The cryptocurrency Verum Coin (VERUM) has reached a new milestone — users can now buy and trade it through the popular decentralized Uniswap Wallet.
This integration brings new opportunities for users:
- Ease of use: The Uniswap Wallet interface enables crypto transactions in just a few clicks.
- Security: Users retain full control over their assets.
- Global liquidity: The platform connects millions of users worldwide.
«We are committed to making Verum Coin as accessible as possible to everyone who values blockchain technology and believes in the future of decentralization. Integration with Uniswap Wallet is a significant step toward achieving this goal,» said representatives of the Verum team.
Uniswap Wallet is one of the leading decentralized wallets on the market, known for its flexibility and ability to trade tokens without intermediaries or hidden fees.
You can try Verum Coin on Uniswap Wallet today. Simply connect your wallet, find the $Verum token, and start trading.
Technologies
Verum Ecosystem: The Future of Digital Communication and Finance
Verum Ecosystem: The Future of Digital Communication and Finance
In an era of rapid technological changes, where the world demands new approaches to communication, data security, and financial management, the Verum ecosystem emerges as a pivotal technological breakthrough. It’s not just a collection of standalone applications but a seamlessly integrated platform that unites cutting-edge innovations in one environment. At its core is Verum Messenger, transforming traditional communication and financial operations. However, this is merely the tip of the iceberg: behind the messenger lies an entire ecosystem of products, each uniquely designed to redefine the digital landscape.
This article dives deep into what the Verum ecosystem offers and how its products interact to create a unified digital space.
Verum Messenger: A Tool for Communication and Security
Verum Messenger is not just a messaging app. It’s a multifunctional platform prioritizing reliability, security, and user convenience. Unlike most messengers, Verum focuses on integrating various technologies to create the perfect communication environment:
- Verum AI: Integrated directly into the messenger, this chatbot is a smart assistant capable of handling tasks like data searches, task planning, message responses, data analysis, and more complex operations.
- Built-in VPN: A crucial feature for ensuring privacy. Unlike standard VPN services, users can activate protection with a single click without leaving the messenger. This is especially vital for those who value anonymity online and frequently use public Wi-Fi networks.
- E-SIM Integration: Enables users to connect to mobile internet without needing a physical SIM card. This technology eliminates roaming issues and significantly simplifies mobile connectivity management, offering access to networks in over 150 countries worldwide.
Verum Coin: The Cryptocurrency Uniting the Ecosystem
Verum Coin is not just a cryptocurrency but the economic foundation of the entire ecosystem. This digital asset addresses key challenges related to fast and secure financial operations, both within and beyond the Verum ecosystem:
- Low Fees and High Speed: Unlike traditional payment systems, Verum Coin facilitates instant transfers and payments with minimal fees, making it an ideal solution for international transactions.
- Versatility: It is used not only within the ecosystem for service payments but also on cryptocurrency exchanges, serving as a bridge between various digital assets.
BitCoinPay Trade: A High-Security Cryptocurrency Exchange
BitCoinPay Trade is not just an exchange but a high-tech platform for cryptocurrency trading:
- Secure Transactions: All transfers are protected by advanced encryption methods, eliminating the risk of asset loss or theft.
- Accessibility: The platform offers access to a variety of cryptocurrencies and trading options, while also supporting integration with other Verum ecosystem products.
Crypto Bank: A Reliable Wallet for Cryptocurrencies
Crypto Bank offers users a secure storage solution for digital assets. It’s designed for those actively working with cryptocurrencies and valuing financial security.
- Easy Buying and Selling: Purchase and sell various cryptocurrencies with just a few taps.
- Cryptocurrency Wallets: Support for major cryptocurrencies allows users to choose the most convenient and secure storage options.
- Verum Coin and Other Assets: The service fully supports Verum Coin and other major cryptocurrencies, ensuring reliability and simplicity when working within the ecosystem.
Verum Pay: Integrating Cryptocurrency into Business and the Ecosystem
Verum Pay is an innovative solution bridging cryptocurrency capabilities for businesses and Verum ecosystem applications.
- Integration with Payment Systems: Its user-friendly interface allows businesses to quickly adopt cryptocurrency for sales and payment processes, offering a modern approach to financial operations.
- Usage within Ecosystem Applications: Verum Pay is actively used within the Verum ecosystem, enabling users to pay for services and goods using Verum Coin directly through the messenger, E-SIM platforms, VPNs, and other products.
This makes Verum Pay a universal tool for ecosystem participants and businesses outside the ecosystem, focused on a digital future.
Verum Exchange: Conversion and Mining with High Security
Verum Exchange is a currency and cryptocurrency converter with an integrated Verum Coin mining function. It stands out with:
- Simple and Convenient Interface: The platform caters to both beginners and experienced users, offering real-time access to currency and cryptocurrency rates.
- Verum Coin Mining: The application includes mining capabilities, allowing users to earn cryptocurrency directly on their phone or tablet.
E-SIM Applications: A Revolution in Mobile Connectivity
Mobile E-SIM applications (Verum E-SIM, World E-SIM, Euro E-SIM, Canada E-SIM, London E-SIM, USA E-SIM, Ukraine E-SIM, Balkan E-SIM, Africa E-SIM) are among the ecosystem’s most ambitious and revolutionary products. This technology provides mobile internet access in over 150 countries without the need for a physical SIM card.
- No Roaming or Overcharges: Say goodbye to high international roaming fees. E-SIM allows users to connect to mobile networks with fixed and transparent tariffs, ideal for travelers and business professionals.
- Full Integration with Messenger: Mobile connectivity can be managed through a separate app or directly from Verum Messenger, allowing effortless balance control, tariff selection, and service activation.
Verum VPN: Advanced Data Protection
Verum VPN is an integral part of the ecosystem, guaranteeing a high level of security for users.
- Complete Encryption: VPN ensures robust data encryption, making it ideal for protecting personal information online, especially when connected to public Wi-Fi networks.
- Ease of Use: Activating VPN with a single click simplifies its use, requiring no additional user settings.
Verum AI: Artificial Intelligence at Your Fingertips
Verum AI is the heart of the ecosystem, utilizing powerful algorithms for communication, analysis, and creativity while adapting to each user’s needs. Its features include:
- Information and Analysis: Quickly find answers to questions, explain complex topics, analyze data, and support informed decision-making.
- Creativity and Idea Generation: Generate texts, create scenarios, develop creative concepts, write articles, posts, and assist with design and programming tasks.
- Assistance and Learning: Verum AI helps users acquire new skills, solve problems, and enhance their experience.
Verum Runner: A Gaming Ecosystem with Real Earnings
Verum Runner is a crypto-game that allows users to earn Verum Coin in real time. This unique mobile application motivates players to not only have fun but also gain tangible benefits.
Crypto ATMs: Convenience and Accessibility Worldwide
The Verum network of crypto ATMs enables easy exchange of Verum Coin and other popular crypto assets for fiat currency and vice versa, providing users with transaction capabilities anywhere in the world.
Prospects and Development
Verum is not merely addressing current market needs — it is crafting innovative solutions that will shape the future of digital finance and communication. Upcoming plans include launching new services, expanding AI functionality, and integrating with emerging technologies.
Verum is not just creating an ecosystem of digital services; it’s redefining the very approach to communication, finance, and security in the modern world. All ecosystem products work in perfect synergy, delivering unparalleled user experience that ensures privacy, security, and convenience at every step.
-
Technologies2 года agoTech Companies Need to Be Held Accountable for Security, Experts Say
-
Technologies3 года agoVerum, Wickr and Threema: next generation secured messengers
-
Technologies2 года agoBest Handheld Game Console in 2023
-
Technologies2 года agoTighten Up Your VR Game With the Best Head Straps for Quest 2
-
Technologies3 года agoGoogle to require vaccinations as Silicon Valley rethinks return-to-office policies
-
Technologies3 года agoOlivia Harlan Dekker for Verum Messenger
-
Technologies3 года agoiPhone 13 event: How to watch Apple’s big announcement tomorrow
-
Technologies3 года agoBlack Friday 2021: The best deals on TVs, headphones, kitchenware, and more
