LastPass hacker got customer information and their encrypted vault data

Business and personal users of the LassPass password management solution are being warned to take defensive action after the company acknowledged customer information and encrypted data they had stored in the service’s digital vault were copied by a hacker in a supply chain attack.

“Users should beware of sophisticated phishing attacks aimed at stealing their master password,” said  Mike Walters, vice-president of vulnerability and threat research at Action1, a provider of patch management solutions. “An attacker can pretend to be LastPass, regulatory authorities, and other organizations and trick users into sharing their credentials. Remember, modern phishing can go beyond average emails and combine different communication channels, such as phone calls, SMS, messengers, and others.

“I recommend that all users change their master passwords and enforce password security best practices. It includes creating a strong master password at least 30 characters long, re-encrypting the password vault, and enabling multi-factor authentication (MFA).”

His advice comes after LastPass CEO Karim Toubba acknowledged that last August’s data breach was worse than he described earlier this month. A hacker accessed a third-party cloud-based storage service LastPass uses to store archived backups of its production data using information gained from an August attack.

After further investigation, the company realized that once the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from backups that contained basic customer account information and related metadata, including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.

In addition, the hacker also copied an encrypted backup of customer vault data from the encrypted storage container. “These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture,” Toubba said in a blog. “As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass. The encryption and decryption of data is performed only on the local LastPass client” of a user.

“Because of the hashing and encryption methods we use to protect our customers, it would be extremely difficult to attempt to brute force guess master passwords for those customers who follow our password best practices,” he maintained.

“This incident shows that an experienced attacker can exploit a company’s security vulnerabilities and steal sensitive customer data even if he has initially gained access to a certain part of the corporate infrastructure that is not directly related to this sensitive data,” said Walters.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer. Former editor of and Computing Canada. An IT journalist since 1997, Howard has written for several of ITWC's sister publications, including Before arriving at ITWC he served as a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Story

How the CTO can Maintain Cloud Momentum Across the Enterprise

Embracing cloud is easy for some individuals. But embedding widespread cloud adoption at the enterprise level is...

Related Tech News

Get ITBusiness Delivered

Our experienced team of journalists brings you engaging content targeted to IT professionals and line-of-business executives delivered directly to your inbox.

Featured Tech Jobs