LastPass data breaches compromise customer details

Published on

LastPass had data breaches in August and November 2022, which led to sensitive customer information being stolen.

- Advertisement -

In a statement, LastPass said that a hacker stole source code and technical information from the development environment of LastPass in August. This information was then used to target an employee. This gave the hacker access to credentials and keys, which they then used in November 2022 to get into LastPass’ third-party cloud storage service. Using the keys, the bad person was able to get into the storage service and decrypt some of the storage volumes.

After the information was decrypted, the hacker used a cloud-based backup to access and copy “basic customer account information and related metadata.” This included “company names, end-user names, billing addresses, email addresses, phone numbers, and the IP addresses from which customers were accessing the LastPass service.” Nobody knows yet how many customers are affected.

LastPass said that the hacker was also able to “copy a backup of customer vault data from the encrypted storage container, which is stored in a proprietary binary format that contains both unencrypted data, like website URLs, and fully-encrypted sensitive fields, like website usernames and passwords, secure notes, and form-filled data.”

- Advertisement -

The password management company reassured their customers that their encrypted data was safe by saying that all encrypted files are still “secured with 256-bit AES encryption.” This means that each user’s password is used to create a unique encryption key that is needed to decrypt the file. Since LastPass doesn’t know, store, or keep track of users’ master passwords, this makes it harder for them to be broken.

After the attack, LastPass told its customers to be careful about social engineering or phishing attacks. It also said that while the company uses hashing and encryption to protect customer data, the bad guys could try “brute force” to guess customers’ master passwords and decrypt the copies of the vault data they stole.

The company said that if customers use the default settings and best practises for master passwords, it would “take millions of years to guess a master password using widely available password-cracking technology.” It suggested that people who don’t follow these best practises should change the passwords they have saved for websites in their LastPass account.

LastPass told its customers that “sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass’ Zero Knowledge architecture,” and that there were no other steps they should take.

Latest articles

Damar Hamlin Net Worth, Family, Age

In the past few days, there have been more instances of players having heart...

The Doomsday Clock reaches 90 seconds before midnight, signaling greater danger

The Doomsday Clock, a symbol of the dangers facing humanity, was reset to 90...

Is Damar Hamlin going to retire? Bills clarification

In the Divisional Round of the NFL Playoffs, Damar Hamlin was back in the...

The reasons why ‘Lucifer’ might leave Netflix by 2031

Lucifer's return to Netflix was one of the biggest in the company's history, and...

More like this

Amazon cuts more than 18,000 jobs in a second round of Amazon layoffs

Amazon laid off thousands more workers Wednesday, months after laying off 10,000. Amazon is set...

How ChatGTP-3 can benefit businesses

Almost every industry can benefit from technology such as ChatGTP-3. Listed below are six...

How a VPN Improve Your Cybersecurity 2023

Many people know about VPN (Virtual Private Network) services and how they can change your...