LastPass admits on password vaults been stolen

LastPass admits on password vaults been stolen

On 22nd December 2022 LastPass revealed that after entering its cloud storage earlier this year using data acquired during an incident in August 2022, attackers took customer vault data.

“we have learned that an unknown threat actor accessed a cloud-based storage environment leveraging information obtained from the incident we previously disclosed in August of 2022. While no customer data was accessed during the August 2022 incident, some source code and technical information were stolen from our development environment and used to target another employee, obtaining credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service.” Said the company

The stolen data contains backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.

The data is encrypted using 256-bit AES encryption, and only a unique encryption key generated from each user’s master password can be used to decrypt the data. LastPass never has access to the master password, stores it nowhere on its computers, and doesn’t even keep track of it.

Customers were also forewarned that the attackers would attempt to crack their master passwords in order to access the encrypted vault data that had been stolen. if the customers are using the LastPass-recommended password best practices, this would be exceedingly challenging and time-consuming.

“If you use the default settings above, it would take millions of years to guess your master password using generally-available password-cracking technology. Your sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass’ Zero Knowledge architecture. There are no recommended actions that you need to take at this time.” Mention Karim Toubba CEO of LastPass

LastPass added that, based on the setups of their accounts, it had informed a limited group of its business customers—less than 3%—to take a particular, undefined action.

Source

https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/

Recent Breach,

https://cyberlabsservices.com/last-pass-source-code-exposed-in-data-breach

No Image - LastPass admits on password vaults been stolen
May 21st, 2024

ISO 27002:2022

Copy link
Powered by Social Snap