Beware of phishing attacks, CERT-In warns LastPass password manager users

LastPass earlier in the month just three days before Christmas, LastPass revealed that the company suffered a data breach. What's more worrying was the cybercriminals were able to get their hands on the users' vault data containing usernames and passwords.

That's not all, it is being reported that threat actors were also able to access to IP address, through which LastPass customers used to access passwords. This may allow criminals to even map the location of the users too.

"Based on our investigation to date, we have learned that an unknown threat actor accessed a cloud-based storage environment leveraging information obtained from the incident we previously disclosed in August of 2022. While no customer data was accessed during the August 2022 incident, some source code and technical information were stolen from our development environment and used to target another employee, obtaining credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service," LastPass said on its blog.

Though LastPass says that stolen data are encrypted and hard to decrypt, and most of the data such as user name, password, secure notes and form-filled data are likely to be safe.

However, the Indian Computer Emergency Response Team (CERT-In) doesn't buy that argument.

It says threat actors may target users with a possible brute force attempt to guess the master password or may perform phishing, credential stuffing, and brute force attacks against online accounts associated with the password manager utility.

In the coming days, affected people may receive phishing emails or SMS or calls from threat actors. People have been advised to avoid replying to or sharing financial details with an unknown persons or corporate emails or calls.

Here are some of the valuable tips offered by CERT-In to safeguard yourself from online fraud:
1) Changing passwords every two or three months. This way, criminals will not be able to use old compromised passwords to breach your online accounts
2) Make it a habit to create complicated passwords having a combination of numbers, alphabets ( mix both upper case and lower case), and special characters and make it difficult not just for criminals using brute force password guessing but also predictor algorithms too
3) You should never use the master password on other websites. As said earlier, it will make it easier for criminals to use compromised passwords to break all other websites
4) Avoid browsing on unknown websites and do not venture out into the dark net. And, never click download even if the banner says it has detected a virus. No webpage app without your authorisation can enter your computer just like that and detect virus or malware
5) Ensure the website is genuine or not by checking out if its URL has 'https' or the just the 'http'. If it has the latter, just kill the webpage and move on
6) And, never easily trust a stranger on social media platforms. There are people who can read your previous public posts and try to contact you as some friend of a friend and with social engineering, gain your trust to fleece your money

Get the latest news on new launches, gadget reviews, apps, cybersecurity, and more on personal technology only on DH Tech.