According to LastPass, hackers stole encrypted passwords and customer data.
- According to LastPass, the initial breach occurred in August.
- The master password that users create is not stored.
- Mandiant, a cybersecurity company, has been engaged by LastPass to look into the hack.
A password management service called LastPass revealed on Thursday that hackers had taken encrypted copies of user passwords as well as other private information like IP addresses, billing addresses, and phone numbers. The disclosure represents the most recent information about a breach that happened in August.
The business claimed at the time that it had seen no proof that the hackers had accessed client data or encrypted password vaults.
However, the business claimed in a statement on Thursday that source code and technical data that were taken in connection with that theft were used to target one additional employee. When data was encrypted and kept on a third-party cloud storage space, the hackers were able to access it by obtaining credentials and keys.
They were able to steal 'fully-encrypted sensitive areas such as website usernames and passwords, secure notes and form-filled data,' as well as 'basic customer account information, including email addresses and the IP addresses from which consumers accessed LastPass. According to LastPass's statement, neither the corporation nor its servers are aware of the master password.
The business stated that the only way to decipher the other encrypted data is 'with a unique encryption key created from each user's master password.'
Yet LastPass cautioned users that they might be the target of social engineering, phishing scams, or other tactics. The threat actor 'may try to employ brute force to guess your master password and decrypt the copies of vault data they obtained,' according to a statement from the business.
It would be very difficult to try to brute force guess master passwords for those clients that follow our password best practises because of the hashing and encryption procedures we utilise to defend our clients. According to LastPass, it would take millions of years for password-cracking software to successfully guess a user's master password if they follow the company's password recommendations.