News Categories

LastPass says customer vault data obtained by hacker in security breach

By Cookie Monster - on 24 Dec 2022, 10:51am

LastPass says customer vault data obtained by hacker in security breach

LastPass provides another update on the security breach it suffered in August.

CEO Karim Toubba wrote in a blog post that the hacker copied information from a cloud-based storage service using the stolen cloud storage access key and dual storage container decryption keys.

The copied information includes basic account information such as company names, end-user names, billing addresses, email addresses, telephone numbers, and the I.P addresses from which customers were accessing the LastPass service.

The hacker also managed to copy a backup of customer vault data which contains unencrypted data (e.g. website URLs) and fully-encrypted sensitive fields (e.g. website user names/passwords, and secure notes).

LastPass reiterates the encrypted fields are secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from the user's master password. As LastPass deploys a Zero Knowledge architecture, the master password is never known to the company and is not stored or maintained by the company.

Nonetheless, LastPass says the hacker might use brute force to guess the master passwords and decrypt the copies of vault data. It would be extremely challenging for the hacker to guess the master passwords if customers follow the password best practices (e.g. minimum of 12 characters, combination of upper/lower case/numeric/special characters, a passphrase). 

LastPass claims it will take millions of years to guess the master password if customers follow its password best practices, and if the hacker uses generally-available password-cracking tools.

The hacker might target customers with phishing attacks, credential stuffing or other brute force attacks against online accounts associated with the LastPass vault.

LastPass states investigations are ongoing and it is committed to keeping customers informed of its findings, and the actions it is taking.

Source: LastPass

Join HWZ's Telegram channel here and catch all the latest tech news!
Our articles may contain affiliate links. If you buy through these links, we may earn a small commission.