Calendar with words Time to change password. Password management.

LastPass, one of the leading password managers, said that hackers obtained a wealth of personal information belonging to its customers.

The revelation was posted on Thursday and represents an update to the LastPass incident. The company said that a threat actor gained unauthorized access through a single compromised developer account to portions of the password manager's development environment. At the time, the company said that the data in customer accounts were not affected.

Sensitive data, both encrypted and not, copied

The company said hackers accessed personal information and related data, including company names, end-user names, billing addresses, email addresses, and telephone numbers. The hackers copied a backup of customer vault data that included unencrypted data such as website URLs, secure notes, and form filled data.

The fields can only be cracked with a unique encryption key derived from each user's master password, according to the CEO of LastPass. Storage systems that are impossible to decode are referred to as zero knowledge. The CEO said something else.

Advertisement

As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass. The encryption and decryption of data is performed only on the local LastPass client. For more information about our Zero Knowledge architecture and encryption algorithms, please see here.

There is no evidence that credit card data was accessed, according to the update. The credit card data it stores is kept in a cloud storage environment that is different from the one the threat actor accessed.

The intrusion disclosed in August that allowed hackers to steal LastPass source code and proprietary technical information appears related to a separate breach of Twilio, a San Francisco-based provider of two-factor authentication and communication services. The threat actor in that breach stole data from 163 of Twilio’s customers. The same phishers who hit Twilio also breached at least 136 other companies, including LastPass.

According to Thursday's update, the threat actor could use the source code and technical information stolen from LastPass to hack a separate LastPass employee and gain access to the company's cloud-based storage service.

Once the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from backup that contained basic customer account information, including company names, end- user names, billing addresses, email addresses, telephone numbers, and The threat actor was able to copy a backup of customer vault data from the storage container, which is stored in a proprietary format that contains both unencrypted data, such as website URLs, as well as fully secured sensitive fields.

Advertisement

The representatives of LastPass didn't reply to the question of how many customers had their data copied.

Shore up your security now

Several remedies have been taken to shore up the security of the company. A managed endpoint detection and response service, as well as rotating all relevant credentials and certificates, are included in the steps.

It is alarming that such a large amount of personal data was obtained given the sensitivity of the data stored by LastPass. It's not out of the question that the threat actor could have cracked the password using a lot of resources.

Customers of LastPass should make sure to change their passwords in their vault. They should make sure they use settings that are above the default. It's possible to crack master passwords that are long, unique, and randomly generated by using the Password-Based Key Derivation Function. The 310,000-iteration threshold recommended by the OWASP is woefully short of the 100, 100 iteration. There is a way for customers to check the number of iteration for their accounts.

Phishing emails and phone calls purporting to be from LastPass, or other services that seek sensitive data, should be watched out for. The company has specific advice for business customers.