LastPass Vault Backups Get Stolen, Data Should be Safe

Heads up, LastPass account holders. Detailed in a blog post this week, new information is being released that is tied to a hack that took place earlier this year. At that time, the hack wasn’t exactly newsworthy for us (we’re just an Android blog), as LastPass said that a hacker merely gained access to a developer test environment and some source code. However, due to that hack, a subsequent event recently took place in which the hacker was able to compromise a LassPass employee’s account and gain access to much, much more.

As detailed by LastPass, someone has been able to gain access to encrypted backup copies of customer vault data. That vault data is what contains everything a user might store with the service. We’re talking account usernames, passwords, banking information, and everything else. For a hacker, it could be the mother lode.

According to LastPass, these vaults are encrypted with some serious security, meaning nothing should be able to access this stolen data with exception to a user’s master password. Thankfully, those master password’s are not stored by LastPass, so as long as the hacker is unable to brute force into the vault (guessing a correct password), most sensitive user data should remain safe.

I’m not a security expert so I’ll let LastPass better explain what’s happening.

To date, we have determined that once the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.  

The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data. These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass. The encryption and decryption of data is performed only on the local LastPass client. 

There is no evidence that any unencrypted credit card data was accessed. LastPass does not store complete credit card numbers and credit card information is not archived in this cloud storage environment. 

What Should You Do

So long as a LastPass user used the company’s best practices in selecting a master password, the company says that it would, “take millions of years to guess your master password using generally-available password-cracking technology.” That’s reassuring. However, if you’re a little worried about your information, you may want to start changing your passwords. That’s if you want to be overly safe.

For more information on what happened and what LastPass is doing about it, follow the link below.

// LastPass