LastPass revealed today that attackers stole customer vault data after breaching its cloud storage earlier this year using information stolen during an August 2022 incident.
This follows a previous update issued last month when the company's CEO, Karim Toubba, only said that the threat actor gained access to "certain elements" of customer information.
Today, Toubba added that the cloud storage service is used by LastPass to store archived backups of production data.
The attacker gained access to Lastpass' cloud storage using "cloud storage access key and dual storage container decryption keys" stolen from its developer environment.
"The threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service," Toubba said today.
"The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data."
Some of the stolen vault data is "safely encrypted"
Fortunately, the encrypted data is secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user's master password.
According to Toubba, the master password is never known to LastPass, it is not stored on Lastpass' systems, and LastPass does not maintain it.
Customers were also warned that the attackers might try to brute force their master passwords to gain access to the stolen encrypted vault data.
However, this would be very difficult and time-consuming if you've been following password best practices recommended by LastPass.
If you do, "it would take millions of years to guess your master password using generally-available password-cracking technology," Toubba added.
"Your sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass' Zero Knowledge architecture."
Breached twice in a single year
The cloud storage breach is the second security incident disclosed by the company since the start of the year after confirming in August that its developer environment was breached using a compromised developer account.
Lastpass published the August advisory days after BleepingComputer reached out and received no response to questions regarding a possible breach.
In emails sent to customers, Lastpass confirmed the attackers stole proprietary technical information and source code from its systems.
In a follow-up update, the company also revealed that the attacker behind the August breach maintained internal access to its systems for four days until being evicted.
LastPass says its password management software is being used by more than 33 million people and 100,000 businesses worldwide.
Comments
CaptObvious - 1 year ago
It is also important to consider how this can indirectly affect you. I have not seen anyone else mention this so far.
Even if your master password never gets cracked and your vault does not get compromised, someone else or another company who you do business with, who also has access to any of your systems or whom you have shared password with or has their own separate logins to your websites, or accounts, could have their vault compromised, especially if they had a weak password. which in turn compromises you.
It is also highly likely that some websites/businesses you use and trust will end up being hacked as a result of this, due to that company or someone who works there having their LastPass vault compromised.
I wrote about that here:-
https://michaels.me.uk/lastpass-hacked-how-serious-is-it-things-you-may-not-know/