LastPass had data breaches in August and November 2022, which led to sensitive customer information being stolen.
In a statement, LastPass said that a hacker stole source code and technical information from the development environment of LastPass in August. This information was then used to target an employee. This gave the hacker access to credentials and keys, which they then used in November 2022 to get into LastPass’ third-party cloud storage service. Using the keys, the bad person was able to get into the storage service and decrypt some of the storage volumes.
After the information was decrypted, the hacker used a cloud-based backup to access and copy “basic customer account information and related metadata.” This included “company names, end-user names, billing addresses, email addresses, phone numbers, and the IP addresses from which customers were accessing the LastPass service.” Nobody knows yet how many customers are affected.
LastPass said that the hacker was also able to “copy a backup of customer vault data from the encrypted storage container, which is stored in a proprietary binary format that contains both unencrypted data, like website URLs, and fully-encrypted sensitive fields, like website usernames and passwords, secure notes, and form-filled data.”
The password management company reassured their customers that their encrypted data was safe by saying that all encrypted files are still “secured with 256-bit AES encryption.” This means that each user’s password is used to create a unique encryption key that is needed to decrypt the file. Since LastPass doesn’t know, store, or keep track of users’ master passwords, this makes it harder for them to be broken.
After the attack, LastPass told its customers to be careful about social engineering or phishing attacks. It also said that while the company uses hashing and encryption to protect customer data, the bad guys could try “brute force” to guess customers’ master passwords and decrypt the copies of the vault data they stole.
The company said that if customers use the default settings and best practises for master passwords, it would “take millions of years to guess a master password using widely available password-cracking technology.” It suggested that people who don’t follow these best practises should change the passwords they have saved for websites in their LastPass account.
LastPass told its customers that “sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass’ Zero Knowledge architecture,” and that there were no other steps they should take.