India has warned LastPass users via CERT-In of a critical security vulnerability against phishing, credential stuffing, and brute force attacks. The Indian cyber-agency CERT-In warning is important because LastPass themselves admitted that hackers were able to copy a backup of customer vault data. LastPass is used to store encrypted passwords on the cloud and is regarded as a Freemium application.
According to CERT-In advisory, the data is encrypted and the threat actor could possibly perform brute force attempt to guess the master password. It could also carry out phishing, credential stuffing, or brute force attacks against connected online accounts associated with your LastPass. The sources revealed that the threat actors gained access to source code and other technical information from the developer environment to target users. Moreover, the threat actors utilized information copied from backup with basic customer account information and related metadata.
The Government-owned agency advised LastPass users to change passwords every 69-90 days on user-level accounts. This process will make sure that threat actors who make use of social engineering, brute force, and credential stuffing attacks will not be able to use your older passwords to gain access to your systems or data. It is to be noted that CERT-in also reported a security vulnerability in WordPress that could allow an attacker to execute arbitrary code on the targeted system. A malicious file will be uploaded by an attacker if the system is compromised.