December 23, 2022

LastPass, a popular password manager, admitted to a data breach in August 2022, during which hackers gained access to their names, addresses, and data vaults.

In a nutshell, LastPass concluded that the attackers were successful in installing malware on the computer of a developer. However, LastPass has changed its tune, stating that the cloud storage service is now used to store archived backups of production data.

“To date, we have determined that once the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service,” a LastPass blog post reads.

The hacker also made a copy of customer vault data, which is “stored in a proprietary binary format,” according to the company. Some vault data is not encrypted, such as website URLs. Other information, such as usernames and passwords, is “secured with 256-bit AES encryption,” according to the company, and cannot be decrypted by hackers.

While the company claims that the hackers would be extremely unlikely to decrypt the data, it warns users that they may be targeted by phishing or social engineering attacks.

The sources for this piece include an article in BleepingComputer.