LastPass Data Branch Was Hacked, Encrypted Password Vaults Were Stolen

(CTN News) – LastPass may have suffered a more serious security breach than previously disclosed.

According to a recent announcement by the popular password management service, malicious actors have obtained a trove of customer information, including encrypted password vaults, by utilizing stolen data from an earlier break-in.

LastPass said that “basic customer account information and related metadata, such as company names, end-user names, billing addresses, email addresses, telephone numbers, and IP addresses from which customers accessed the service, were also stolen.”

An investigation is currently underway into the August 2022 incident. In this incident, miscreants accessed source code and proprietary technical information from the company’s development environment through a single compromised employee account.

This allowed the unidentified attacker to gain access to credentials and keys used to extract information from a backup stored on a cloud-based storage service, which LastPass emphasizes is physically separate from its production environment.

Additionally, the adversary is said to have copied customer vault data from the encrypted storage service. “Proprietary binary format” stores both unencrypted data, such as website URLs, and fully encrypted data, such as website usernames, passwords, secure notes, and forms.

The company explained that these fields are protected by 256-bit AES encryption and can only be decoded by the master password associated with the device of the user.

This security lapse did not involve access to unencrypted credit card information, as this information was not archived in the cloud storage container.

The company did not divulge how recent the backup was, but warned that the threat actor “may attempt to guess your master password by brute-force and decrypt the copies of vault data they took,” as well as use social engineering and credential stuffing to target customers.

The success of brute-force attacks to predict master passwords is inversely proportional to their strength, which means that the easier it is to guess the password, the fewer attempts are needed to crack it.

LastPass warns that if you reuse your master password and that password is ever compromised, a threat actor may use dumps of compromised credentials that are already available on the internet in order to gain access to your account.

Due to the fact that website URLs are in plaintext, it is possible for attackers to determine the websites a specific user holds accounts with.

This is done by successfully decrypting the master LastPass password. This enables them to launch additional phishing or credential theft attempts.

Further, the company said that a small subset of its business customers – which amounts to less than 3% – have been notified to take certain unspecified actions.

In a related development, Okta recently acknowledged that threat actors gained unauthorized access to the Workforce Identity Cloud (WIC) repositories on GitHub and LastPass copied the source code.

SEE ALSO:

Logo Design: 3 Important Elements!

Lacoste Reclaims Scent License From Coty, Links With Interparfums

Open-Source Software: How Do We Address Cybersecurity Issues?