Password management giant LastPass has revealed that hackers who broke into the company in August stole encrypted customer vault data and unencrypted account information.
This update comes after the company first said the incident only resulted in a compromise of “source code and some proprietary LastPass technical information.”
The conspiracy then deepened at the end of November when LastPass revealed that “certain elements of customer information” had been stolen.
Yesterday’s lengthy update revealed that an August incident allowed hackers to obtain “source code and technical information” from the company’s development environment, which was then used to target another employee. rice field.
In this way, they obtained credentials and keys that they used to access and decrypt storage volumes within the company’s cloud-based storage service.
This includes backups of customer vault data, including unencrypted data such as website URLs and fully encrypted sensitive data such as website usernames and passwords. was
“These encrypted fields are protected with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using the Zero Knowledge architecture,” says LastPass. CEO Karim Toubba said in an update.
“The Master Password is never known to LastPass and is never stored or maintained by LastPass. Data encryption and decryption is performed only by the local LastPass client.”
If customers use LastPass’ default master password settings, it would take hackers “millions of years” to crack the credentials, Toubba claimed.
However, if the master password is [password defaults]If so, we can significantly reduce the number of trials required to guess correctly,” he added.
“In this case, as an additional security measure, you should consider changing your saved website passwords to minimize the risk.”
Customers may also face a barrage of phishing attacks with unencrypted account details stolen by hackers.
Among the data stolen here were “company names, end-user names, billing addresses, email addresses, phone numbers, and IP addresses from which customers were accessing LastPass services.”
Editorial Credit Icon Image: Tada Images / Shutterstock.com
