Hackers Stole Data from the LastPass Use Password Vault

Hackers stole data from LastPass

LastPass password manager developers have reported that hackers who recently broke into the company’s cloud storage have accessed it and stolen customer data, including password vaults that could now theoretically be hacked.

Let me remind you that the compromise of the company’s cloud storage became known earlier this month. It is noteworthy that for this hack, the hackers used data previously stolen from the company earlier: during the previous attack, which occurred in August 2022.

Let me remind you that we also wrote that In LastPass for Android found seven built-in trackers.

In early December, the developers wrote that “an unauthorized party, using information obtained during the incident in August 2022, was able to access some customer data,” but there were no details, as they were promised to be provided after the completion of the investigation.

Karim Toubba
Karim Toubba

Now the investigation is over, and LastPass head Karim Toubba says the hacked cloud storage was used to store archived backups of production data, although it was physically separated from the production environment.

The attacker copied information from a backup that contained basic customer account information and related metadata, including company names, end user names, billing addresses, email addresses, phone numbers, and IP addresses from which customers accessed the LastPass service. The attacker was also able to copy a backup of customer storage data from an encrypted container, which is stored in a proprietary binary format and contains both unencrypted data (such as website URLs) and fully encrypted sensitive fields such as websites, usernames, and passwords. secure notes and data for filling out forms.writes Tubba.

It is emphasized that the encrypted data is protected by 256-bit AES encryption and can only be decrypted using a unique encryption key derived from each user’s master password. Tubba notes that the master password is not known to LastPass and is not stored on LastPass systems.

By the way, the media also wrote that Attackers gained access to privileged credentials that were previously stored in the Ubiquiti IT employee’s LastPass account and gained superuser administrator access to all Ubiquiti AWS accounts.

However, users are still warned that attackers may try to crack their master passwords to gain access to stolen encrypted vault data. At the same time, the developers insist that “it will take millions of years to pick up a master password using public technologies for cracking passwords.”

Your vault’s sensitive data, such as usernames and passwords, secure notes, attachments, and form-filling data, remain securely encrypted thanks to the Zero Knowledge architecture.the developers write.

At the same time, LastPass acknowledges that the leaked data can still be used for phishing attacks on users, credential stuffing attacks, or brute force of accounts associated with the LastPass storage.

You might also be interested in How To Securely Store Passwords.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *