Earlier this month, we reported how a data breach incident in November involving LastPass allowed an unknown threat actor to access its cloud storage through information stolen from its systems in August this year.
Back then, LastPass a leading password manager, had only said that the unauthorized party gained access to “certain elements” of customers’ information on the cloud storage service used by the company to store archived backups of production data. However, it did not disclose what data was stolen.
In an update to the Notice of Recent Security Incident on Thursday, Karim Toubba, the CEO of LastPass, has now confirmed that hackers stole customers’ encrypted password vaults, which store customers’ passwords and other sensitive information, during the data breach in August 2022.
“To date, we have determined that once the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service,” Touba wrote.
“The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.”
Thankfully, these encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password.
According to Touba, the master password is never known to LastPass and is not stored or maintained by LastPass. He further added that there is no evidence that any unencrypted credit card data was accessed.
“LastPass does not store complete credit card numbers and credit card information is not archived in this cloud storage environment,” Touba said.
The company claims that it would be extremely difficult for hackers to brute force their master passwords to gain access to the stolen encrypted vault data for those customers who follow best practices.
For those who follow LastPass’s password guidance, “it would take millions of years to guess your master password using generally available password-cracking technology,” the company said.
It, however, warns its customers that threat actors could target them with phishing attacks, credential stuffing, or other brute force attacks against online accounts associated with their LastPass vault. The company is encouraging customers to avoid reusing master passwords on other websites.
In response to the breach, LastPass is actively rotating all relevant credentials and certificates that may have been affected and supplementing existing endpoint security.
“We are also performing an exhaustive analysis of every account with signs of any suspicious activity within our cloud storage service, adding additional safeguards within this environment,” it added.
LastPass has already notified a small subset (less than 3%) of its Business customers to suggest that they take certain actions based on their specific account configurations.
Since it is an ongoing investigation, we can expect to hear more updates on the matter in the coming weeks.
