Password manager giant LastPass has revealed that cybercriminals stole its customers’ encrypted password vaults, which store passwords and other secrets, during a data breach earlier this year.
This comes after the company’s CEO, Karim Toubba, only said last month that the threat actor gained access to “certain elements” of customer information.
In today’s announcement, Toubba added that LastPass uses the cloud storage service to store archived backups of production data. Using a “cloud storage access key and dual storage container decryption keys” stolen from Lastpass’ developer environment, the attacker gained access to the company’s cloud storage.
According to Toubba, the intruders stole a backup of customer vault data by using cloud storage keys stolen from a LastPass employee. Customer password vault caches are stored in a “proprietary binary format” that includes both unencrypted and encrypted vault data, but this is technical.
The cybercriminals also stole vast amounts of customer data, such as names, email addresses, phone numbers, and some billing information.
These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture,” Toubba assured the customers. “As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass.
Customers’ password vaults, according to LastPass, are encrypted and can only be unlocked with the customer’s master password, which is only known to the customer. However, the company warned that the intruders “may attempt to use brute force to guess your master password and decrypt the copies of vault data they took.”
The Thursday update also detailed several steps LastPass has taken to strengthen its security following the breach. The steps include decommissioning and rebuilding the hacked development, retaining a managed endpoint detection and response service, and rotating all relevant credentials and certificates that may have been compromised.
I recommended this password manager in my blog article before. They claim no impact to customer passwords, as it should be client side encrypted, but best to make sure you have 2FA enabled.
Binance CEO Changpeng Zhao warned the users.
LastPass provided an update. The hacker has all the user info including email address and websites URLs unencrypted. If the you reused passwords for the master password or has a weak master password, then it is possible for the hacker to obtain all of his/her credentials.
— CZ 🔶 Binance (@cz_binance) December 23, 2022
When the company announced the breach in August, it stated that it did not believe any user data had been accessed. Then, in November, LastPass and its Boston-based owner GoTo (formerly LogMeIn) admitted that unknown hackers had compromised their shared cloud-storage service.