Threat Actors Hacked LastPass’ Cloud Storage and Stole Customers` Data
Company Claims Data Is Safe Due to Encryption and Zero Knowledge Architecture.
Malicious actors succeeded in stealing customer vault data during LastPass` cloud storage breach. According to researchers, for this attack, they used data stolen during an incident that took place in August this year.
Over 33 million people and 100,000 businesses around the globe use LastPass` password management software.
After the company’s CEO, Karim Toubba, stated last month that ”certain elements” of customer information were exposed, he now revealed that LastPass uses the cloud storage service to store archived backups of production data.
Billing Addresses and Phone Numbers Among Stolen Data
According to researchers, Lastpass’ cloud storage was breached by using “cloud storage access key and dual storage container decryption keys” previously stolen from its developer environment.
The information was copied from a backup that stored basic customer account information, like company and, telephone numbers, billing addresses, email addresses, and customers` IP addresses.
The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes end-user names, and form-filled data.
Data Encryption Saves the Day
The good news is that at least some of the stolen vault data were encrypted with 256-bit AES encryption. If threat actors were to decrypt it, they would need a unique encryption key that derives from each customer`s master pass.
Since the master password is not known, maintained, or stored on LastPass’ systems, cybercriminals have no choice but to resort to brute force for breaking the master passwords and actually reaching the stolen encrypted vault data.
If strong password policies recommended by LastPass were applied by customers, their data will still be safe enough. According to Toubba:
It would take millions of years to guess your master password using generally-available password-cracking technology
Your sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass’ Zero Knowledge architecture.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.