The data breach which hit password manager LastPass this August was more serious than earlier perceived, and involved customer passwords being stolen, the company admitted in a latest update on the situation.
The threat actor was able to copy “a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data,” the company said.
The hacker also copied information from backup that contained basic customer account information and related metadata, including end-user names, email IDs, telephone numbers, billing addresses, and company names. IP addresses using which customers were accessing the LastPass service were also copied.
The company claims that the encrypted fields “remain secured” with 256-bit AES encryption, and that it can only be decrypted using a unique encryption key created from each user’s master password using LastPass’s Zero Knowledge architecture.
Password Safety
Since 2018, LastPass has required master passwords to be at least 12 characters in length at a minimum, which would minimize the possibility of brute force password guessing becoming successful.The company uses a “stronger-than-typical implementation of 100,100 iterations of the Password-Based Key Derivation Function (PBKDF2),” which is a password-strengthening algorithm that makes it difficult to guess the master password. The firm also asks users never to reuse their master passwords on other services.
If customers have followed these instructions, LastPass estimates that it would take “millions of years” to guess the master password by current cracking technologies. For such customers, the company does not recommend any actions that need to be taken at this point in time.
Customers who have not followed the instructions have been recommended “as an extra security measure” to change the passwords they have stored with LastPass.
“This remains an ongoing investigation. We have notified law enforcement and relevant regulatory authorities of this incident out of an abundance of caution … In the meantime, our services are running normally, and we continue to operate in a state of heightened alert,” the post said.
Founded in 2008, LastPass is headquartered in Boston, Massachusetts, and generated a revenue of $200 million in 2021. It accounts for 21 percent of the password manager market in the United States.
On Nov. 30, the firm had reported its second security incident for the year, with unusual activity detected within a third-party cloud storage service that it shares with its affiliate GoTo.