- Lastpass suffered yet another breach at the hands of hackers earlier this month; the company now revealed that the vault data was stolen as well.
- The CEO Karim Toubba gives detailed information on what data has been stolen and says customers’ passwords are still safe.
- LastPass discloses that the hacker had internal access for 4 days before being found out and kicked out.
Earlier this month, LastPass disclosed a data breach but did not provide many details about it. This time the customer vault data in cloud storage gets stolen. The hackers used data obtained from the incident in August 2022 to enter its cloud storage earlier this year and steal client vault data.
The CEO details the incident
Karim Toubba, CEO of LastPass has previously stated that certain elements in LastPass systems were stolen. Now, he detailed the incident and admitted that the customer vault data is also stolen as encrypted. Karim Toubba, CEO of LastPass said,
« The threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.
The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data. »
Toubba added that while the data has been compromised if you have been following best password practices by LastPass it would take millions of years for the hackers to brute-force your password.
« Your sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass’ Zero Knowledge architecture. »
The organization also disclosed that the hacker responsible for the August incident had internal access to its networks for four days before being kicked out. In that incident, the source code of LastPass was stolen.
Following the November incident, LastPass shared a Twitter post explaining what had transpired.
We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate GoTo. Customer passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture. More info: https://t.co/xk2vKa7icq pic.twitter.com/ynuGVwiZcK
— LastPass (@LastPass) November 30, 2022
According to LastPass, more than 33 million users and 100,000 businesses use its password management software globally.