Last week, the LastPass password manager disclosed that threat actors stole their customer vault data after compromising its cloud storage during the August incident.
This revelation is a follow-up update to a previous announcement issued by the company’s CEO, stating that the threat actors have only gained access to a particular type of elements in the password manager from the customer information.
Last week, the CEO added that LastPass utilises the cloud storage service to keep archived backups of production details. The adversaries have breached the LastPass cloud storage via cloud storage access keys and storage container decryption keys stolen from its developer infrastructure.
The attackers copied information from a backup that included basic customer account credentials and related metadata, including end-user names, email addresses, telephone numbers, company names, billing addresses, and IP addresses.
Furthermore, the data breach operators have successfully duplicated a backup of customer vault data from the encrypted storage container, which the company keeps in a patented binary format that contains both unencrypted data, such as website URLs.
The actors have also copied fully encrypted critical fields such as website usernames, passwords, form-filled data, and secure notes.
The company allegedly safely encrypts some of the stolen vault data from the password manager.
A LastPass representative noted that they secure the safely encrypted data with 256-bit AES encryption. Hence, a user could only decrypt through a unique encryption key derived from each user’s master password.
According to the CEO, the master password is never revealed by the system to LastPass, and it is not recorded on their systems; hence, they do not maintain it. Unfortunately, the company stated that the attackers could try to execute a brute forcing campaign to gain their master passwords and acquire access to the stolen encrypted vault data.
However, the threat actors could take more time and face many challenges if they attempt a brute force campaign since it could take millions of years to guess the correct master password using a standard password-cracking tool.
The customer vault data and form-fill fields remain unaffected by the incident since it is still under encryption on the company’s Zero Knowledge architecture.