The LastPass security breach in August 2022 might have been more serious than the firm had initially revealed.
The well-known password management service disclosed on Thursday that, using information stolen from the earlier break-in, malicious actors were able to steal a wealth of personal information belonging to its users, including their encrypted password vaults.
Basic customer account information, including “business names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which users were using the LastPass service,” was also stolen, according to the company.
The August 2022 incident, which is still under investigation, included criminals using a single hacked employee account to get access to source code and confidential technical data from its development environment.
According to LastPass, this gave the unknown attacker access to credentials and keys, which they then used to retrieve data from a backup kept in a cloud-based storage service, which the company stressed is physically isolated from its production environment.
Additionally, it is claimed that the attacker copied customer vault data from the encrypted storage service. Both unencrypted information, such as website URLs, and fully-encrypted fields, such as website usernames and passwords, secure notes, and form-filled information, are saved in a “proprietary binary format” that is called this data.
According to the business, these fields are encrypted using 256-bit AES technology and can only be unlocked using a key that is derived from the user’s master password on their devices.
Due to the fact that this data was not stored in the cloud storage container, LastPass confirmed that the security flaw did not allow access to unencrypted credit card information.
The business withheld the backup’s date but cautioned that the threat actor “may attempt to use brute-force to guess your master password and decrypt the copies of vault data they obtained,” in addition to focusing on customers through social engineering and credential stuffing attempts.
At this point, it is important to note that the success of brute-force attacks to forecast master passwords is inversely proportionate to their strength, meaning the fewer attempts needed to crack the password the easier it is to guess.
LastPass issued a warning: “If you reuse your master password and that password has ever been hacked, a threat actor may attempt to access your account using dumps of leaked credentials that are already available on the internet.”
Website URLs are in plaintext, thus if the master password could be successfully decrypted, the attackers might learn which websites a specific user has accounts with, allowing them to launch more phishing or credential theft attempts.
The business added that, based on the setups of their accounts, it had informed a limited group of its business customers—less than 3%—to take a particular, undefined action.
The development comes a few days after Okta disclosed that threat actors had copied the source code from its Workforce Identity Cloud (WIC) repositories available on GitHub.