Users using LastPass, beware! CERT-In Issues A Phishing Alert

Users using LastPass, beware! CERT-In Issues A Phishing Alert

Basic account information that was copied from a backup was used by the hackers.

India's cyber security agency, the Indian Computer Emergency Response Team, has informed Indian Internet users of multiple hacks involving their LastPass accounts (Cert-In). The government claims that the criminals behind the LastPass data breach employed a number of techniques, such as phishing, credential stuffing, and brute force, to gather data on LastPass users in India.

According to the advice from the cyber-security response team, those responsible for the LastPass data breach had access to the source code and technical information from the utility's developer environment to target users. The basic account information for clients and any associated metadata from which users were accessing the password management service, i.e. LastPass, was reportedly accessed by the hackers.

The Cert-In advice was released over a week after LastPass disclosed that a recent data breach had allowed hackers to "download a backup of customer vault data." This is important information.

According to the company's blog post, the threat actor copied data from a backup that included basic customer account information and related metadata, such as company names, end-user names, billing addresses, email addresses, phone numbers, and the IP addresses from which customers were accessing the LastPass service. In addition to alerting users to the cyber-attack, the security agency provided a number of guidelines for users to follow in order to stay safe online.

How to Protect Yourself Against Cyberattacks

1. Change your password on user-level accounts every 60 to 90 days.

2. Always use a combination of upper- and lowercase letters, numbers, and special characters to create secure passwords. A successful brute-force password guess would be less likely.

3. Do not use the same master password on multiple websites.

4. Avoid visiting untrustworthy websites, never click on unverified links, and exercise caution when clicking on links in unsolicited emails and SMS messages.

5. Only click on URLs that clearly indicate which domain the website belongs to.

Subscribe to our newsletter