LastPass says hackers stole customer data, encrypted passwords


Password managers are a way for customers to store usernames and passwords in one place and can be accessed using a master password that a customer creates. The master password isn’t known to LastPass nor is stored or maintained by the company, it said in its statement. — Dreamstime/TNS

LastPass, a password management service, announced on Thursday that hackers stole encrypted copies of customer passwords and other sensitive data such as billing addresses, phone numbers and IP addresses.

The announcement is the latest update from a breach that occurred in August. At that time, the company said they had seen no evidence that the hackers had access to customer data or encrypted password vaults.

But the company’s statement on Thursday said that source code and technical information that were stolen as part of that hack was used to target another employee. The hackers were then able to obtain credentials and keys to access and decrypt data stored on a third-party cloud storage space.

They were able to copy such things as basic customer account information, including email addresses and the IP addresses from which customers accessed LastPass, and "fully-encrypted sensitive fields such as website usernames and passwords, secure notes and form-filled data.”

Password managers are a way for customers to store usernames and passwords in one place and can be accessed using a master password that a customer creates. The master password isn’t known to LastPass nor is stored or maintained by the company, it said in its statement.

The other encrypted data can only be decrypted "with a unique encryption key derived from each user’s master password,” the company said.

Nonetheless, LastPass warned customers that they could be targeted for social engineering, phishing attempts or other methods.

"The threat actor may attempt to use brute force to guess your master password and decrypt the copies of vault data they took,” the company said in a statement. "Because of the hashing and encryption methods we use to protect our customers, it would be extremely difficult to attempt to brute force guess master passwords for those customers who follow our password best practices.”

For those who follow LastPass’s password guidance, "it would take millions of years to guess your master password using generally available password-cracking technology,” the company said.

A representative for LastPass didn’t respond to messages seeking comment.

The company said that it has hired cybersecurity firm Mandiant to investigate the breach. It also said that it is rebuilding its entire development environment from scratch, an indication that hackers had thoroughly comprised the company’s sensitive systems.

LastPass said that its investigation is ongoing, and that it has notified law enforcement and "relevant regulatory authorities.” – Bloomberg

Follow us on our official WhatsApp channel for breaking news alerts and key updates!
   

Next In Tech News

Can an Apple�Watch get AFib patients off bloodthinners?
South Korea fines Meta about $15 million over collection of user data
Ehailing service Bolt says it’s launching in Malaysia soon, already licensed by Apad
French IT firm Atos agrees to sell Worldgrid unit to Alten
Opinion: These Apple researchers just showed that AI bots can’t think, and possibly never will
Nintendo cuts annual profit forecast by 10% as Switch sales slow
You may have blocked someone on X but now they can see your public posts anyway
Japan taps US chip startup Tenstorrent to help train new wave of engineers
Chinese AI firms are splurging on ads, report finds, as chatbot market gets crowded
Data of over 148,000 people leaked after ransomware attack on 2 Hong Kong hearing centres

Others Also Read