LastPass password manager developers have reported that hackers who recently broke into the company’s cloud storage have accessed it and stolen customer data, including password vaults that could now theoretically be hacked.
Let me remind you that the compromise of the company’s cloud storage became known earlier this month. It is noteworthy that for this hack, the hackers used data previously stolen from the company earlier: during the previous attack, which occurred in August 2022.
Let me remind you that we also wrote that In LastPass for Android found seven built-in trackers.
In early December, the developers wrote that “an unauthorized party, using information obtained during the incident in August 2022, was able to access some customer data,” but there were no details, as they were promised to be provided after the completion of the investigation.
Now the investigation is over, and LastPass head Karim Toubba says the hacked cloud storage was used to store archived backups of production data, although it was physically separated from the production environment.
It is emphasized that the encrypted data is protected by 256-bit AES encryption and can only be decrypted using a unique encryption key derived from each user’s master password. Tubba notes that the master password is not known to LastPass and is not stored on LastPass systems.
By the way, the media also wrote that Attackers gained access to privileged credentials that were previously stored in the Ubiquiti IT employee’s LastPass account and gained superuser administrator access to all Ubiquiti AWS accounts.
However, users are still warned that attackers may try to crack their master passwords to gain access to stolen encrypted vault data. At the same time, the developers insist that “it will take millions of years to pick up a master password using public technologies for cracking passwords.”
At the same time, LastPass acknowledges that the leaked data can still be used for phishing attacks on users, credential stuffing attacks, or brute force of accounts associated with the LastPass storage.
You might also be interested in How To Securely Store Passwords.