For LastPass users, it is time to update all their passwords and account details. And once that is done, one should ideally move the new data away from the password manager. That’s because the company has admitted that hackers stole encrypted user password vaults and other sensitive details. This is the company’s latest update regarding a security incident that was first reported in August 2022 where hackers had stolen the platform’s source code. Source code once compromised gives cybercriminals a closer look at proprietary systems and makes a platform more vulnerable to attacks. This is what was reported in November 2022, when the company admitted it had “detected unusual activity within a third-party cloud storage service.”
Now, in a new blog post, the CEO Karim Toubba wrote that hackers gained access to other “credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service.” Worryingly, LastPass has not mentioned how many LastPass users are impacted.
Hackers also stole key user information such as “company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.” They were also able to “copy a backup of customer vault data from the encrypted storage container,” which is the most troubling bit of information. This data also includes “unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.”
LastPass claims that the “encrypted fields” are still safe and “can only be decrypted with a unique encryption key derived from each user’s master password.” The platform does not store the master password itself. The company insists that “the encryption and decryption of data are performed only on the local LastPass client.” The company also is also claiming that “there is no evidence that any unencrypted credit card data was accessed,” as it tries to reassure customers.
