Back in August, LastPass announced that its systems were compromised in a security incident. Now, LastPass CEO Karim Toubba disclosed that the threat actors managed to copy encrypted passwords and other data stored in customer vaults.
In a blog post published yesterday, LastPass revealed that hackers accessed customer data such as names, telephone numbers, email addresses, IP addresses, and some billing information. The threat actors also copied customer vault data with encrypted and unencrypted information, including website URLs, user credentials, form data, and secure notes.
“These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass. The encryption and decryption of data is performed only on the local LastPass client,” LastPass CEO Karim Toubba explained.
In its investigation, LastPass didn’t find any evidence that the hackers managed to access unencrypted credit card details. The company says that the threat actors couldn’t access the specific cloud storage environment where it stores customers’ credit card information.
LastPass says that the hackers would need the user’s master password to decrypt the stolen files. However, it’s still possible to perform several brute-force attempts to decrypt the harvested data, but it would require massive amounts of resources.
Furthermore, LastPass warns that phishing attacks are increasingly targeting both individuals and business customers. The company has taken several steps to prevent security breaches in the future. The list includes rebuilding the hacked development environment from scratch and rotating affected credentials and certificates.
LastPass recommends that users should change their master password and all other credentials stored in their password vault. Moreover, customers should not use the default settings and avoid sharing sensitive data through phishing emails and phone calls. The company also detailed some instructions for high-risk business customers, and you can check out the full security update on the LastPass website for details.