LastPass notified customers today that they are now required to use complex master passwords with a minimum of 12 characters to increase their accounts' security.
Even though LastPass has repeatedly said that there is a 12-character master password requirement since 2018, users have had the ability to use a weaker one.
LastPass has begun enforcing a 12-character master password requirement since April 2023 for new accounts or password resets, but older accounts could still use passwords with fewer than 12 characters.
Starting this month, LastPass is now enforcing the 12-character master password requirement for all accounts.
LastPass added that it will also start checking new or updated master passwords against a database of credentials previously leaked on the dark web to ensure that they don't match already compromised accounts.
If a match is found, the customers will be alerted via a security warning pop-up and prompted to select another password to block future cracking attempts.
As part of the same effort to increase account security, LastPass also started a forced multi-factor authentication re-enrollment process in May 2023, which led to many users experiencing significant login issues and getting locked out of their accounts.
LastPass told BleepingComputer that B2C customers will begin receiving emails about these changes today, with B2B customers receiving them on January 10th. These measures are the direct result of two security breaches LastPass disclosed in August 2022 and November 2022.
In August, the company confirmed its developer environment was breached via a compromised developer account after the attackers hacked into a software engineer's corporate laptop.
During the breach, they stole source code, technical info, and some LastPass internal system secrets.
The information stolen in this incident was later used by threat actors in the December breach when they also stole customer vault data from its encrypted Amazon S3 buckets after compromising a senior DevOps engineer's computer using a remote code execution vulnerability to install a keylogger.
In October 2023, hackers stole $4.4 million worth of cryptocurrency from over 25+ victims using private keys and passphrases they could extract from LastPass databases stolen in LastPass' 2022 breaches.
According to research by MetaMask developer Taylor Monahan and ZachXBT, it is believed that threat actors are now cracking stolen LastPass master passwords to gain access to the password.
Using this access, the threat actors search for cryptocurrency wallet passphrases, credentials, and private keys and use them to load the wallets onto their own devices to drain them of all funds.
LastPass says its password management solution is now used by over 33 million people and 100,000 businesses worldwide.
CISA urges tech manufacturers to stop using default passwords.
Google Chrome now scans for compromised passwords in the background.
The password attacks of 2023: Lessons learned and next steps.
FBI: Play ransomware breached 300 victims, including critical orgs.
3CX warns customers to disable SQL database integrations.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Wed, 03 Jan 2024 17:20:15 +0000