The company has revealed that via blog updates regarding the ‘Recent Security Incident’ and their commitment to transparency revealed many crucial details which worth discussing.
LastPass’ Encrypted Password Vaults Compromised In Recent Data Breach
According to LastPass’ CEO, Karim Toubba, the threat actor was able to obtain a copy of a backup of customer vault data, and the hacker was able to do that with earlier stolen keys of a cloud storage server from a LastPass employee. As the report also noted that the threat actor already took much of customer data which includes names, email addresses, phone numbers, and some billing information. Currently, it is unspecified how old these backups were, but the company revealed that the backup of customer vault data was present in the encrypted storage container that stores both unencrypted data and encrypted data in a proprietary binary format. The unencrypted vault’s data is said to be specific web addresses, website usernames, website URLs, and form-filled data that hackers can get by decoding binary format. And the encrypted data vault contains everything that remains, such as passwords, customers’ secure notes, etc. Besides, LastPass noted that the unencrypted vault did not include any access to credit card data, as this information was not present in the cloud storage container. The company concludes that the encrypted vault’s data and password are only allowed to unlock with the customers’ master password, and this password is only known to customers. But the company has still warned that the hacker behind this all “may attempt to use brute-force to guess your master password and decrypt the copies of vault data they took”. And what customers can do to protect their password vault:
Customers can make their master password harder with combinations that they didn’t use anywhere else. In this situation, the customers who have implemented two-factor authentication are more secure, so if you haven’t applied it, do it now.