Password manager LastPass US LP today revealed that a hacker who gained access to their systems last month copied data from a backup that contained customer account information.
LastPass revealed the attack on Dec. 1, saying at the time that a hacker had gained access to a third-party cloud storage service used by the company and affiliate GoTo Technologies USA Inc. The hacker had gained access using information obtained in a previous breach reported by LastPass in August.
As part of its commitment to transparency, LastPass today provided an update on its investigation and that it discovered that the hacker, having gained access to the cloud storage, copied a backup that contained basic customer account information and related metadata. The data included company names, end-user names, billing addresses, email addresses, telephone numbers and the IP addresses from which customers were accessing LastPass.
The threat actor also copied a backup of customer vault data from the encrypted storage container, which is stored in a proprietary binary format that contained unencrypted data, such as website URLs, and fully encrypted sensitive fields such as website usernames, passwords, secure notes and form-filled data. In other words, the hacker stole a copy of encrypted password vaults.
In a blog post, LastPass pointed out that the encrypted fields remain secured with 256-bit AES encryption. The encryption used requires a unique encryption key derived from each user’s master password, a password that is not known or stored by LastPass itself.
The customer vault data may be encrypted, but that does not mean that the data gathered by the hacker cannot be used for nefarious purposes. LastPass is warning customers that the threat actor may attempt to use brute force to guess the master password and decrypt copies of the vault data they took. The company did note that it would be extremely difficult to brute-force guess master passwords for customers who follow best practices, which is to say it could be done unless users have used a difficult password to guess.
LastPass also warned that the threat actor may also target customers with phishing attacks, credential-stuffing or other brute-force attacks associated with their LastPass vault.
Companies are targeted by cyberattacks all the time, and though LastPass should be credited for its transparency when they are targeted, the fact that it keeps having security incidents like this is not a good look for a password management company that millions rely on to protect their passwords.
Along with two attacks this year, the company’s history of being hacked goes back to 2015, followed by security issues in 2017 and 2019. In December last year, LastPass users reported attempted logins using their master passwords, although the attack was attributed to credential-stuffing. In January, LastPass admitted it had suffered an outage it first denied that was caused by a bug.