LastPass admitted that they had suffered a data breach at the hands of hackers. The cyber attackers managed to gain access to the cloud storage using an access key and dual storage container decryption keys.
Should You Be Worried?
The hackers copied information from the backup that had basic customer account information and related metadata, which had company names, end-users names, billing addresses, email addresses, telephone numbers, and IP addresses, says Karim Toubba, the company CEO.
He added that the attacker also copied a backup of customer vault data from the encrypted storage container. The container was said to have a proprietary binary format, which had unencrypted data like URLs.
The encrypted container also had fully-encrypted sensitive fields like website usernames, passwords, secure notes, and form-filled data, as mentioned in Bleeping Computer. The unencrypted data may be a cause for concern, but the encrypted data are inaccessible.
According to Toubba, the encrypted data has a 256-bit AES encryption. The security wall can only be decrypted using a unique encryption key, which cannot be determined without the user's master password.
Users' master passwords were not stolen by the hackers, seeing as LastPass never stored nor maintained them in its systems. Technically, the encrypted data is safe as long as customers protect their passwords from cyber attackers.
Although Lastpass already warned its users that the hackers might not stop with the breach. It's possible that they would still attempt to steal users' master passwords in order to access the stolen encrypted vault data.
Users should be wary of phishing attacks, credential stuffing, as well as other brute-force attacks against accounts that may be associated with their LastPass vault. The company will never call, email, or text customers asking them to click a link for verification.
Toubba assured that it would take "millions of years" for hackers to guess your master password using generally-available password-cracking technology. He also claimed that vault data like usernames, passwords, secure notes, and form fields are safe on LastPass' Zero Knowledge Architecture.
Read Also: LastPass Suffers New Breach, Customer Data Gets Exposed
LastPass' Response to the Incident
The company has already been breached back in August, but they have already eradicated any potential access to the LastPass development environment by decommissioning it. They have built a new environment from scratch, as mentioned on their website.
In addition to building a new environment, they have also replaced and upgraded developer machines, processes, and authentication mechanisms. There are added additional logging and alerting systems to detect unauthorized activity.
As a fix for the recent incident specifically, LastPass is rotating relevant credentials and certificates that may have been affected in the breach. The company is also conducting an exhaustive analysis of every account with signs of suspicious activity.
To understand the threat, the password manager analyzes all the data within its environment. The company has already informed less than three percent of its Business customers of the breach and recommended that they take action based on their account configuration.
The incident is currently under investigation, as LastPass already alerted law enforcement and regulatory authorities of the breach.
Related: LastPass Password Manager Admits it Had a Data Breach - Should You Change Your Passwords?
