Cyber Attacks/Data Breaches

LastPass: Hackers have stolen encrypted LastPass password vaults

Published

on

Today, LastPass said that attackers broke into its cloud storage earlier this year and stole customer vault data by using information stolen in an August 2022 incident.

This follows a previous update that was made public a month ago. In that update, the CEO of the company, Karim Toubba, merely stated that the threat actor gained access to “certain elements” of customer information.

Today, Toubba added that LastPass stores archived backups of production data on the cloud storage service.

Using “cloud storage access key and dual storage container decryption keys” taken from Lastpass’s developer environment, the attacker gained access to its cloud storage.

Toubba stated in today’s statement, “The threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.” This information included billing addresses, email addresses, and phone numbers.

“The danger entertainer was likewise ready to duplicate a reinforcement of client vault information from the scrambled stockpiling holder which is put away in an exclusive parallel configuration that contains both decoded information, like site URLs, as well as completely encoded delicate fields, for example, site usernames and passwords, secure notes, and structure filled information.”

Fortunately, the encrypted data is protected by 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password. Some of the stolen vault data is “safely encrypted.”

Toubba claims that LastPass is unaware of the master password, that it is not stored on its systems, and that it does not maintain it.

Clients were likewise cautioned that the assailants could attempt to beast force their lord passwords to get close enough to the taken encoded vault information.

Be that as it may, this would be truly challenging and tedious assuming you’ve been following secret key prescribed procedures suggested by LastPass.

Toubba added that if this is the case, “it would take millions of years to guess your master password using generally-available password-cracking technology.”

“Your sensitive vault information, for example, usernames and passwords, secure notes, connections, and structure fill fields, remain securely scrambled in light of LastPass’ Zero Information engineering.”

After confirming in August that its developer environment was breached using a compromised developer account, the cloud storage breach is the second security incident that the company has disclosed since the beginning of the year.

Days after BleepingComputer contacted Lastpass and received no response regarding a possible breach, the August advisory was published.

Lastpass confirmed the theft of proprietary technical information and source code from its systems in emails sent to customers.

The company also revealed in a follow-up update that the attacker responsible for the breach in August had internal access to its systems for four days before being kicked out.

According to LastPass, its password management software is utilized by over 100,000 businesses and 33 million individuals worldwide.

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending

Exit mobile version