The LastPass security breach in August 2022 may have been more serious than the company previously disclosed.
On Thursday, a popular password management service said malicious actors used data siphoned from previous intrusions to obtain mountains of personal information belonging to its customers, including encrypted password vaults. clarified.
Among the stolen data was “basic customer account information, including company name, end-user name, billing address, email address, phone number, and the IP address from which the customer was accessing the LastPass service. associated metadata”.
The August 2022 incident is the subject of an ongoing investigation and involved malicious individuals accessing source code and proprietary technical information from a development environment via one compromised employee account .
LastPass said this allowed an unidentified attacker to obtain credentials and keys, which were then used to extract information from backups stored in a cloud-based storage service, and physically removed it from the production environment. Emphasize that they are separate.
Additionally, the attackers allegedly copied customer vault data from an encrypted storage service. A “proprietary binary format” containing both unencrypted data such as his URL for a website, and fully encrypted fields such as website usernames and passwords, secure notes and form input data is saved in .
The company says these fields are protected using 256-bit AES encryption and can only be decoded with a key derived from the user’s master password on the user’s device.
LastPass confirmed that access to unencrypted credit card data was not related to security lapses, as this information was not archived in a cloud storage container.
The company didn’t say how recent the backups were, but warned that attackers “could try to guess your master password by brute force and try to decrypt the copy of the vault data they got.” , social engineering and credential stuffing attacks.
Note that at this stage the success of a brute force attack to guess the master password is inversely proportional to its strength. In other words, the easier it is to guess a password, the fewer attempts it takes to crack it.
“If you reuse your master password and that password is compromised, a threat actor may attempt to access your account using a dump of compromised credentials already available on the Internet.
The fact that the website URL is in plaintext means that successful cracking of the master password could allow an attacker to recognize which website a particular user has an account on, allowing additional phishing attacks and credential information. It means that you may be able to launch a theft attack.
The company further said it notified a small subset (less than 3%) of its business customers to take certain and unspecified actions based on their account configuration.
The development comes days after Okta admitted that attackers gained unauthorized access to its Workforce Identity Cloud (WIC) repository hosted on GitHub and copied the source code.
