The Indian Computer Emergency Response Team (CERT-In) issued a ‘high severity’ advisory, last evening for the Indian customers using LastPass.
Just before Christmas, LastPass, one of the leading password manager services had shared that the attackers stole customer vault data after breaching its cloud storage. In August this year its servers were hacked.
“It is reported that the threat actors obtained personal information belonging to its users that include their encrypted password vaults by leveraging data leaked. The data is encrypted, and the threat actor could possibly perform brute force attempt to guess the master password, or may carry out phishing, credential stuffing, or other brute force attacks against online accounts associated with your LastPass vault,” CERT-In wrote on its website.
Attackers broke into a third-party cloud storage service LastPass shares with affiliate company GoTo through which they gained access to certain elements of customers’ information.
While LastPass uses a minimum 12-character master password (with numbers, symbols, and capital letters), hackers can still make an attempt to get into the data using a brute force attack.
CERT-In also shared some of the best practices like changing password every 60-90 days on user-level accounts, using strong passwords with a combination of alphabets (both uppercase and lowercase), numerals and special characters. It also cautioned against the reuse of the master password on other websites.
What are brute force attacks?
The name “brute force” comes from attackers using excessively forceful attempts to gain access to user accounts.
A brute-force mechanism uses every possible combination for the password until one eventually figures it out. The hacker tries multiple usernames and passwords, often using a computer to test a wide range of combinations, until they find the correct login information.
Despite being an old cyber-attack method, brute force attacks are tried and tested and remain a popular tactic with hackers.