Hackers Stole User Data and Encrypted Password Vaults

According to LastPass, hackers managed to access end-user names, company names, billing addresses, telephone numbers, email IDs, and IP addresses in the August 2022 data breach.

In August 2022, Hackread.com reported on a data breach involving the popular password management service LastPass in which the company claimed only its source code was stolen by hackers. The latest reports reveal that the breach’s scope was way more extensive than the company claimed earlier.

Do not confuse the new details with the data breaches that LastPass revealed in September of 2022, or the one in earlier December of this year.

On Thursday, LastPass released updated information about the breach, revealing that attackers managed to steal the personal data of a large number of its customers, including encrypted password vaults. Furthermore, the attackers used previously leaked data to access the vaults.

Hackers reportedly accessed the private data and metadata of its customers. The information obtained by attackers included end-user names, company names, billing addresses, telephone numbers, email IDs, and IP addresses the customers used for accessing LastPass‘s services.

Further, the attackers also copied the backup of customer vault data, including website URLs and other encrypted data fields, like website usernames, form-filled data, secure notes, and passwords. But unencrypted credit card data wasn’t breached.

These fields were secured with 256-bit AES encryption. Hence it could only be decrypted through a unique encryption key obtained from the master password of each user. For this, the attackers used LastPass’s Zero Knowledge architecture, Karim Toubba, the company’s CEO, wrote.

He didn’t reveal how recent the backup was but noted that the attacker used brute force to obtain the master password and decrypt the vault data.

“If you reuse your master password and that password was ever compromised, a threat actor may use dumps of compromised credentials that are already available on the internet to attempt to access your account,” the CEO added.

The attackers also stole proprietary technical data and source code from LastPass’s development environment. All of this they achieved using the compromised accounts of an employee.

According to LastPass’s blog post, the attacker obtained keys and credentials to steal data from a backup stored in a Cloud-based storage service, which operated independently and wasn’t a part of its production environment. The encrypted vault data was also stored in the same service’s “proprietary binary format.”

The incident is currently under investigation. The company has notified a small portion (3%) of its business clients to take preventive measures on their account configurations.