Dec 23 – A LastPass cyber security breach that occurred last August may have been more severe than the company previously anticipated or acknowledged, according to recent media reports.
On Thursday, the popular password management service indicated that hackers obtained a selection of personal information belonging to its customers. The information included encrypted password vaults. These details were obtained through the nefarious use of data siphoned from an earlier data breach.
LastPass data breach
According to press releases, also stolen was basic customer account information and related meta data. This includes company names, end-user names, billing details, email addresses, telephone numbers and the IP addresses from which customers accessed the LastPass platform.
August 2022 cyber security incident
In August, LastPass suffered a breach that remains the subject of an ongoing investigation. The breach enabled the cyber attackers to obtain credentials and keys that were then used to extract information from company-owned backups stored in the cloud. LastPass has emphasized that the backups were stored in a physically separate location from the company’s production environment.
In addition, the cyber criminals are believed to have copied customer vault data from the encrypted storage service. Such data is stored in a “proprietary binary format,” which contains both unencrypted data and fully-encrypted fields. The former consist of website URLs, while the later includes usernames and passwords, secure notes and form-filled data.
The aforementioned fields are protected via 256-bit AES encryption. Theoretically, they can only be decoded with a key derived from users’ master passwords, which are stored on individual users’ devices, as appropriate.
Credit card data
LastPass expressed that the breach did not expose unencrypted credit card data. This information was not housed in the cloud storage container.
LastPass has warned that the cyber criminal perpetrators may attempt to use brute-force and password spraying techniques to guess users’ master passwords. Customers may also see an increase in LastPass-related social engineering and credential stuffing attacks within the coming days and weeks.
Moving forward, customers should be sure to use exceptionally strong passwords for LastPass accounts, as this makes it challenging for cyber criminals to predict the passwords and thereby break into accounts.
According to LastPass, the company notified a small subset of its business customers to take certain security-related protective actions based on existing account configurations.