LastPass warned its customers to be wary of social engineering or phishing attacks in the wake of the attack. As LastPass does not know, store or maintain user master passwords, this reduces the chance of compromise. The password management company reassured their customers about the safety of their encrypted data, noting that all encrypted files remain “secured with 256-bit AES encryption”, meaning they need a unique encryption key derived from each user’s password to decrypt it. LastPass explained that the hacker was also able to “copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs”, as well as “fully-encrypted sensitive fields such as website usernames and passwords, secure notes and form-filled data”. The number of customers affected has not yet been shared. Using the keys, the malicious party was able to decrypt some storage volumes within the storage service.Īfter the information was decrypted, the hacker accessed and copied information stored on a backup stored on the cloud that included “basic customer account information and related metadata” including “company names, end-user names, billing addresses, email addresses, telephone numbers and the IP addresses from which customers were accessing the LastPass service”. This allowed the hacker to gain access to credentials and keys, which they then used to access LastPass’ third-party cloud storage service in November 2022. In a statement, LastPass explained that the August breach saw a malicious actor steal source code and technical information from LastPass’ development environment that was then used to target an employee. The data breaches LastPass suffered in August and November 2022 resulted in confidential customer information being compromised.
0 kommentar(er)
