Customer details compromised in LastPass data breaches

The data breaches LastPass suffered in August and November 2022 resulted in confidential customer information being compromised.

In a statement, LastPass explained that the August breach saw a malicious actor steal source code and technical information from LastPass’ development environment that was then used to target an employee. This allowed the hacker to gain access to credentials and keys, which they then used to access LastPass’ third-party cloud storage service in November 2022. Using the keys, the malicious party was able to decrypt some storage volumes within the storage service.

After the information was decrypted, the hacker accessed and copied information stored on a backup stored on the cloud that included “basic customer account information and related metadata” including “company names, end-user names, billing addresses, email addresses, telephone numbers and the IP addresses from which customers were accessing the LastPass service”. The number of customers affected has not yet been shared.

LastPass explained that the hacker was also able to “copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs”, as well as “fully-encrypted sensitive fields such as website usernames and passwords, secure notes and form-filled data”.

The password management company reassured their customers about the safety of their encrypted data, noting that all encrypted files remain “secured with 256-bit AES encryption”, meaning they need a unique encryption key derived from each user’s password to decrypt it. As LastPass does not know, store or maintain user master passwords, this reduces the chance of compromise. 

LastPass warned its customers to be wary of social engineering or phishing attacks in the wake of the attack. It also noted that while the company uses hashing and encryption methods to protect customer data, the malicious actors may use “brute force” in an attempt to guess customers’ master passwords and decrypt the copies of the vault data they stole.  

The company noted that if customers follow its default settings and best practices for master passwords, it would “take millions of years to guess [a] master password using generally-available password-cracking technology”. It recommended that those who do not follow these best practices change passwords for the websites they currently have stored in their LastPass account.

LastPass told customers that “sensitive vault data, such as usernames and passwords, secure notes, attachments and form-fill fields, remain safely encrypted based on LastPass’ Zero Knowledge architecture”, adding that there were no recommended further actions for its customers to take.

Learn more about the breach here.