LastPass, a password management firm that is owned by GoTo (formerly LogMeIn), announced yesterday that a massive data breach took place in August 2022, which resulted in the theft of a large amount of customer data. The company says that the hackers broke into their secure internal network and then used the information they obtained to hijack the customer data, which included sensitive information such as user names, email addresses, telephone numbers, IP addresses, and more.
The threat actors were also able to copy a full backup of the customer vault data from an encrypted storage container on their servers. This container held both unencrypted data, such as website URLs, and fully-encrypted sensitive fields, such as website usernames and passwords, secure notes, and other form-filled data.
LastPass CEO Karim Toubba published a notice
on Thursday, explaining that LastPass production services currently operate from data centers that are located on their own premises, with cloud-based storage also being used for various purposes, including storing backups and regional data residency requirements. He further added that the cloud storage service that was accessed by the threat actor was physically separate from their actual production environment.
So far LastPass has determined that the cloud storage access key and dual storage container decryption keys were somehow obtained by the threat actor, and as a result they were able to quietly copy information from the backup that contained customer account information and its related metadata. The encrypted fields remain secured with a strong 256-bit AES encryption and can only be decrypted with a unique encryption key that is derived from each user's master password using the company's zero knowledge architecture
. However, the CEO warned that the threat actors may attempt to use brute force to guess their users' master passwords and then use them to decrypt the copies of stolen vault data.
In addition, Toubba mentioned that the threat actors may also individually target customers with phishing attacks, credential stuffing, or other brute force attacks against online accounts associated with their LastPass vault. This serves as a brutal reminder that, even though password managers are overwhelmingly a good thing to use for storing your passwords, not all password managers are created equal and can be attacked or compromised in different ways. As such, it is important for LastPass customers to take precautions and change their current LastPass master password to a new and unique password or passphrase that is written down and kept in a safe place.
If there are concerns that a LastPass password vault may have been compromised, such as if the master password is weak or has been used elsewhere, it is recommended that customers start changing the passwords stored in their LastPass vault, starting with the most critical accounts and working their way down the priority list. However, it is worth noting that any account that is protected with two-factor authentication will make it far more difficult for an attacker to access without that second factor, such as a phone text or emailed code. Thus, it is essential to secure those second-factor accounts first, like email accounts and cell phone plan accounts.