In August of this year, it became known about a hacker attack on the largest password storage service LastPass. The company said at the time that the hackers were able to steal the company’s source code and confidential information, but that password data was not compromised and users did not need to take any action to protect their accounts. But now it turned out that in reality everything was worse than it was said at first.

On December 22, the LastPass administration announced that the latest hack turned out to be more destructive. The fact is that the hackers were able to gain access to user data and “copy a backup copy of customer storage data.” Thus, attackers have at least a complete set of encrypted personal data of LastPass users. And if they can crack the stolen vaults, then theoretically they will have access to all the customers’ passwords.

“During the August 2022 incident, there was no access to customer data,” said LastPass CEO Karim Tubba.

However, some of the app’s source code was stolen and then used to phish a Lastpass employee. As a result, it was possible to gain access to his credentials, and then the hackers used the keys obtained in this way to decrypt and copy some storage volumes in the cloud storage service.

The encrypted data obtained by hackers includes basic customer account details including company names, payment details, email address, IP addresses, phone numbers.

Course

EMPLOYER BRANDING

Build a high-quality and attractive employer brand in just one month.

REGISTER!

“These encrypted fields remain secure with 256-bit AES encryption and can only be decrypted using a unique encryption key derived from each user’s master password using our zero disclosure architecture,” Tubba said. “A reminder that the master password is not known to, stored, or maintained by LastPass.”

However, given the scope of the leak and the potential threats, it makes sense for LastPass users to change all passwords for all their accounts, as well as change their master password.

Source: Engadget