LastPass revealed that hackers have stolen encrypted customer vault data after breaching its cloud storage earlier this year. Last month, LastPass CEO Karim Toubba said that “threat actors had accessed certain elements of customer info.” However, the company now admits the stolen data is a “copy of backup of customer vault data.”
Theoretically, the hackers will gain access to all customer passwords if they manage to break the encryption of the stolen database.
The full statement from Toubba elaborates:
“We have determined that once the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.”
But, it gets worse. The statement continues (emphasis LastPass):
“The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data. These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass.”
LastPass attempts to downplay the breach by stating that it would take “millions of years to guess your master password using generally-available password-cracking technology.” They also state that there “are no recommended actions that you need to take at this time.”
While that may sound comforting to at least some of the LastPass customer base, the bottom line is that this is the second significant breach in a single year for the company.
The developer environment was breached using a compromised developer account in August, and left many customers wondering what the true fallout was—until yesterday.
There are more than 33 million people and 100,000 businesses using LastPass, and the timing of this announcement is suspect, right as workers go on an extended holiday.
