Known password manager LastPass has been hacked according to a recent blog post published by the company.
LastPass recently notified its users that an unauthorized party gained access to a third-party cloud-based storage service, which LastPass uses to store archived backups of its production data.
In keeping with its commitment to transparency, it wanted to provide an update regarding its ongoing investigation.
It appears that a cybercriminal obtained information from a previous data breach and used it to gain access to a cloud storage system.
Although no customer data was accessed during the initial incident, the perpetrator obtained credentials and keys by targeting an employee and was able to decrypt certain storage volumes within the cloud storage service.
This was discovered during the ongoing investigation into the matter.
LastPass stores its production data in on-site data centers and uses cloud storage for things like backups and compliance with regional data regulations.
The cloud storage system that was accessed by the threat actor is separate from the main production system.
So far, it seems that the attacker obtained and used certain keys to copy information from a backup that included basic customer details such as names, addresses, emails, phone numbers, and IP addresses of users accessing the service.
LastPass experienced a data breach in which an unauthorized party gained access to a third-party cloud storage service that the company uses to store archived backups of its production data.
The investigation revealed that the threat actor obtained credentials and keys by targeting an employee and used them to access and decrypt certain storage volumes within the cloud storage service.
The attacker copied information from a backup containing basic customer account information, as well as a backup of customer vault data stored in a proprietary binary format.
The vault data includes both unencrypted data, such as website URLs, and encrypted sensitive information like website usernames and passwords, secure notes, and form-filled data.
While the encrypted fields are secured with strong encryption, there is no evidence that any unencrypted credit card data was accessed.
It’s worth noting that LastPass does not store complete credit card numbers and credit card information is not archived in this cloud storage environment.
“There is no evidence that any unencrypted credit card data was accessed. LastPass does not store complete credit card numbers and credit card information is not archived in this cloud storage environment,” says Karim Toubba , CEO LastPass .
Implications
It is possible that the threat actor may attempt to use brute force methods to guess the master passwords of affected customers and decrypt the copies of vault data that were taken.
However, the company’s use of hashing and encryption techniques makes it very difficult for the attacker to successfully guess these passwords, especially for customers who follow the company’s password best practices.
The company regularly tests the latest password-cracking technologies against its algorithms to maintain strong cryptographic controls.
Also, the threat actor may try to target affected customers with phishing attacks, credential stuffing, or other brute-force attacks against online accounts linked to their LastPass vaults.
To protect against these types of attacks, it is important to remember that LastPass will never contact you by phone, email, or text and ask you to click on a link to verify your personal information.
Additionally, aside from when signing into your vault from a LastPass client, the company will never ask for your master password.
Actions
As a result of the August 2022 data breach, the company has taken several steps to secure their systems and protect against future attacks.
These measures include decommissioning and rebuilding their development environment, replacing and hardening developer machines, processes, and authentication mechanisms, and implementing a new set of dedicated development and production environments.
They have also added extra logging and alerting capabilities and enlisted the help of a managed endpoint detection and response vendor to supplement their own team.
In response to the latest incident, they are rotating potentially affected credentials and certificates, analyzing accounts for suspicious activity within the cloud storage service, and adding additional safeguards.
A small percentage of Business customers have been notified and asked to take specific actions based on their account configurations.
The company is continuing to investigate the matter and has informed law enforcement and regulatory authorities. Their services are still running normally and they remain on heightened alert.