LastPass has confirmed that cybercriminals stole its customers’ encrypted password vaults, which store its customers’ passwords and other secrets, in a data breach earlier this year.
LastPass revealed that this repository of customer passwords is stored in a “binary format” and contains both unencrypted data, such as website URLs, as well as encrypted data including website usernames and passwords, secure notes, and form-filled data.
“Once the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service,” the firm said in a statement.
Sever Data Breach
This latest update from LastPass has raised serious concerns that stolen information could be leveraged by threat actors to target users en masse.
LastPass warned that hackers may attempt to use brute force attacks to guess master passwords, but noted that due to hashing and encryption methods employed by the service, it would be “extremely difficult”. The threat actor was also able to copy a backup copy of the customer vault data from the encrypted storage container.
The risk for customers is that threat actors may attempt to brute force their master password and decrypt the copies of the vault data they copied. LastPass added that the hashing and encryption methods used are extremely.
LastPass said“It is important to know that LastPass will never call, email, or text you and ask you to click on a link to verify your personal information. Other than when signing into your vault from a LastPass client, LastPass will never ask you for your master password.”
There is no evidence that unencrypted credit card data was accessed, the company writes, because LastPass does not store full credit card numbers and credit card information is not archived in this cloud storage environment.
If users think that their LastPass password vault could be compromised — such as if master password is weak or they have used it elsewhere — users should begin changing the passwords stored in their LastPass vault. Start with the most critical accounts, such as email accounts, cell phone plan account, bank accounts and social media accounts.