LastPass revealed today that attackers stole customer vault data after breaching its cloud storage earlier this year using information stolen during an August 2022 incident.
This follows a previous update issued last month when the company’s CEO, Karim Toubba, only said that the threat actor gained access to “certain elements” of customer information.
Toubba added in a new update to the original statement that Lastpass’ cloud storage was accessed using “cloud storage access key and dual storage container decryption keys” stolen from its developer environment.
“The threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service,” Toubba said today.
“The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.”
Some of the stolen vault data is “safely encrypted”
Fortunately, the encrypted data is secured with 256-bit AES encryption and can only be decrypted using a unique encryption key derived from each user’s master password.
According to Toubba, the master password is never known to LastPass, it is not stored on Lastpass’ systems, and LastPass does not maintain it.
Customers were also warned that the attackers might try to brute force their master passwords to gain access to the stolen encrypted vault data.
However, this would be very difficult and time-consuming if you’ve been following password best practices recommended by LastPass.
If you do, “it would take millions of years to guess your master password using generally-available password-cracking technology,” Toubba added.
“Your sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass’ Zero Knowledge architecture.”
Breached twice in a single year
The cloud storage breach is the second security incident disclosed by the company since the start of the year after confirming in August that its developer environment was breached using a compromised developer account.
Lastpass published the August advisory days after BleepingComputer reached out and received no response to questions regarding a possible breach.
In emails sent to customers, Lastpass confirmed the attackers stole proprietary technical information and source code from its systems.
In a follow-up update, the company also revealed that the attacker behind the August breach maintained internal access to its systems for four days until being evicted.
LastPass says its password management software is being used by more than 33 million people and 100,000 businesses worldwide.
