LastPass revealed that encrypted password vaults were stolen

The data breach suffered by LastPass in August 2022 may have been more severe than previously thought.

In August password management software firm LastPass disclosed a security breach, threat actors had access to portions of the company development environment through a single compromised developer account and stole portions of source code and some proprietary technical information.

In response to the incident, the company deployed containment and mitigation measures and implemented additional enhanced security measures.  

The company engaged a leading cybersecurity and forensics firm to investigate the incident, at the time of disclosure it confirmed that the data breach did not compromise users’ Master Passwords.

In an update published on Thursday, the company revealed that threat actors obtained personal information belonging to its customers, including encrypted password vaults.

The company discovered that an unknown threat actor accessed a cloud-based storage environment leveraging information obtained from the August security incident. The attackers used the info accessed to target another employee and obtain credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service. 

The update highlights that the cloud storage service accessed by the threat actor is physically separate from the production environment.  

Once obtained the cloud storage access key and dual storage container decryption keys, the attackers copied information from backup that contained basic customer account information and related metadata. Copied data include company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.

The threat actor also copied a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format. The backup contains both unencrypted data (i.e. Website URLs) and 256-bit AES-encrypted sensitive (i.e. Website usernames and passwords, secure notes, and form-filled data).   

“The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.” reads the update provided by the company. “These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass. The encryption and decryption of data is performed only on the local LastPass client.”

The risk for customers is that threat actors may attempt to brute force their master password and decrypt the copies of the vault data they copied. LastPass added that the hashing and encryption methods used are extremely robustand it is hard for attackers to guess master passwords for customers who follow password best practices. This means that customers that have used weak passwords may be at risk.

LastPass confirmed that threat actors did not access unencrypted credit card data because it does not store this information in this cloud storage environment. 

The company notified a small subset (less than 3%) of its Business customers to recommend that they take certain actions based on their specific account configurations.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)

[adrotate banner=”5″]

[adrotate banner=”13″]