LastPass informs users that the August data breach gave hackers access to users' names, addresses, and encrypted password data vaults.
On November 30, LastPass notified users that it was investigating an August "security incident" leading to user data theft.
Now, the LastPass CEO Karim Toubba has posted a blog informing users of the extent of what was stolen.
"To date, we have determined that once the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service," the blog post reads.
The hacker also created a copy of customer vault data, which the company maintains is "stored in a proprietary binary format." Some vault data, like website URLs, is not encrypted. Other data, like usernames and passwords, are "secured with 256-bit AES encryption," which the company maintains cannot be decrypted by hackers.
"[Encrypted data] can only be decrypted with a unique encryption key derived from each user's master password using our Zero Knowledge architecture," Toubba writes. "As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass."
While the company claims that it would be highly unlikely that the hackers could decrypt the data, it warns users that they could be targeted by phishing or social engineering attacks.
LastPass has come under fire for questionable security practices in the past.
In December 2021, LastPass members reported multiple attempted logins using correct master passwords from various locations. The company assured customers that attacks were a result of passwords leaked in third-party breaches.
In February 2021, a security researcher uncovered seven trackers within the LastPass Android app.
5 Comments
This sort of failure is why I dropped 1Password last year and moved to Enpass which lets me keep my vaults local and allows WiFi sync amoungst all my devices. 1Password was essentially forcing everyone into their cloud solution and I just refuse to do that. Plus, most of the password managers have gone to subscription plans and Enpass offers a lifetime purchase. Enpass has some quirks and bugs, but I can live with that in return for not forcing me into the cloud.
1Password is 100% secure as the data is encrypted not only by your password but by the secret key (long). No one can decrypt your data. You are at much more risk of someone stealing your laptop or iDevice and figuring out your password/passcode - having your data local is not going to save you in that much more likely situation.
If you remove the 1st, 2nd, 5th, 6th, 7th and 8th occurrence of the word “that”, the reading experience will be more fluid. For example, the following sentence has 3 occurrences and, as a result, is slightly awkward for the reader:
Just remove them all. The sentence still conveys the same meaning but is less jarring:
”While the company claims it would be highly unlikely the hackers could decrypt the data, it warns users they could be targeted by phishing or social engineering attacks.”
(The 3rd and 4th occurrences are quotes so should remain.)
Apple's Keychain, or 1Password (one of the very few companies that doesn't sell user data to advertisers, I might add). Until Passcodes are completely mainstream, these two options are your best choices for creating, storing, and managing passwords. Plus, both work with Windows (and 1Password also works with Android so a multi-platform household can manage it all).
Keeping passwords at home is only good if you have a backup elsewhere. I prefer open source and recommend Bitwarden. Can we be safe anywhere?