Malicious actors succeeded in stealing customer vault data during LastPass` cloud storage breach. According to researchers, for this attack, they used data stolen during an incident that took place in August this year.

Over 33 million people and 100,000 businesses around the globe use LastPass` password management software.

After the company’s CEO, Karim Toubba, stated last month that ”certain elements” of customer information were exposed, he now revealed that LastPass uses the cloud storage service to store archived backups of production data.

Billing Addresses and Phone Numbers Among Stolen Data

According to researchers, Lastpass’ cloud storage was breached by using “cloud storage access key and dual storage container decryption keys” previously stolen from its developer environment.

The information was copied from a backup that stored basic customer account information, like company and, telephone numbers, billing addresses, email addresses, and customers` IP addresses.

The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes end-user names, and form-filled data.


Data Encryption Saves the Day

The good news is that at least some of the stolen vault data were encrypted with 256-bit AES encryption. If threat actors were to decrypt it, they would need a unique encryption key that derives from each customer`s master pass.

Since the master password is not known, maintained, or stored on LastPass’ systems, cybercriminals have no choice but to resort to brute force for breaking the master passwords and actually reaching the stolen encrypted vault data.

If strong password policies recommended by LastPass were applied by customers, their data will still be safe enough. According to Toubba:

It would take millions of years to guess your master password using generally-available password-cracking technology

Your sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass’ Zero Knowledge architecture.


If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.

What Is a Brute Force Attack?

What Is Credential Management?

Attack Surface Management: Definition, Importance, and Implementation

No Customer Data or Encrypted Password Vaults Were Breached in LastPass Incident

What Is Data Leakage?

How to Implement a Strong Password Policy. Best Practices and Mistakes to avoid

End-to-end Encryption (E2EE). What Is It and How It Helps

The most Popular Free Encryption Software Tools to Protect Your Data

Leave a Reply

Your email address will not be published. Required fields are marked *