LastPass, a password management service, announced on Thursday that hackers stole encrypted copies of customer passwords and other sensitive data such as billing addresses, phone numbers and IP addresses.
The announcement is the latest update from a breach that took place in August. At the time, the company said they had seen no evidence that the hackers had access to customer data or encrypted password vaults.
The world’s most popular password manager says it’s been hacked
But the company’s statement on Thursday said that the source code and technical information stolen as part of that hack were used to attack another employee. The hackers were then able to obtain credentials and keys to access and decrypt data stored in a third-party cloud storage space.
They were able to copy things like basic customer account information, including email addresses and the IP addresses from which customers accessed LastPass, and “fully encrypted sensitive fields such as website usernames and passwords, secure notes, and form entries.”
Password managers are a way for customers to store usernames and passwords in one place and are accessed through a master password that a customer creates. The master password is not known to LastPass, nor is it stored or maintained by the company, it said in its statement.
The other encrypted data can only be decrypted “with a unique encryption key derived from each user’s master password,” the company said.
Nevertheless, LastPass warned customers that they could be targeted by social engineering, phishing attempts or other methods.
“The threat actor may attempt to use brute force to guess your master password and decrypt the copies of vault data they have made,” the company said in a statement. “Because of the hashing and encryption methods we use to protect our customers, it would be extremely difficult to brute force guess master passwords for customers following our password best practices.”
For those following LastPass password guidelines, “it would take millions of years to guess your master password using commonly available password-cracking technology,” the company said.
A LastPass representative did not respond to messages asking for comment.
The company said it hired cybersecurity firm Mandiant to investigate the breach. It also said it is rebuilding its entire development environment from scratch, an indication that hackers had thoroughly undermined the company’s sensitive systems.
LastPass said the investigation is ongoing and it has notified law enforcement and “relevant regulatory agencies.”
Photo: Photographer: Chris Ratcliffe/Bloomberg
Copyright 2022 Bloomberg.