- LastPass experienced a data breach twice, in August and November 2022.
- Hackers were able to access sensitive customer data stored on a cloud-based backup.
- The password management company advised its customers to change their passwords for the websites they use.
- LastPass does not know, store, or maintain user master passwords.
The LastPass data breach experienced in August and November 2022 compromised sensitive customer information.
LastPass explained in a statement that a malicious actor stole source code and technical information from the company’s development environment in August and used it to target an employee. This gave the hacker access to credentials and keys, which they used in November 2022 to access LastPass’ third-party cloud storage service. The malicious party was able to decrypt some storage volumes within the storage service by using the keys.
After decrypting the information, the hacker accessed and copied information stored on a cloud-based backup, including “basic customer account information and related metadata” such as company names, end-user names, billing addresses, email addresses, telephone numbers and the IP addresses from which customers were accessing the LastPass service.” The number of affected customers has not yet been disclosed.
LastPass explained that the hacker was also able to “copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs”, as well as “fully-encrypted sensitive fields such as website usernames and passwords, secure notes and form-filled data”.
[embedpost slug = “/telstra-hit-by-data-breach-just-two-weeks-after-attack-on-optus/”]
The password management company reassured their customers regarding the security of their encrypted data by noting that all encrypted files remain “secured with 256-bit AES encryption,” requiring a unique encryption key derived from each user’s password in order to decrypt them. As LastPass does not know, store, or maintain user master passwords, the likelihood of a compromise is decreased.
In response to the attack, LastPass warned its customers to be wary of social engineering and phishing attacks. It was also noted that while the company uses hashing and encryption to protect customer data, malicious actors may use brute force to guess customers’ master passwords and decrypt copies of the vault data they stole.
If customers adhere to the default settings and best practises for master passwords, it would “take millions of years to guess [a] master password using generally-available password-cracking technology,” according to the company. Those who do not adhere to these best practises were advised to change the passwords for the websites currently stored in their LastPass account.
LastPass informed its customers that “sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass’ Zero Knowledge architecture” and that no additional actions were recommended.
[embedpost slug = “/whatsapp-500m-user-data-breach-has-become-a-twitter-meme/”]
