Password management giant LastPass has revealed that hackers that breached the firm in August made off with encrypted customer vault data and unencrypted account information.
The update comes after the firm originally said that the incident only resulted in a breach of “source code and some proprietary LastPass technical information.”
Then at the end of November, the plot thickened as LastPass revealed “certain elements of our customers’ information” was taken.
In a lengthy update yesterday, it revealed that the August incident resulted in hackers getting hold of “source code and technical information” from the firm’s development environment, which were subsequently used to target another employee.
In this way, they got hold of credentials and keys that were then used to access and decrypt some storage volumes within the firm’s cloud-based storage service.
This included a backup of customer vault data, including unencrypted data such as website URLs and fully encrypted and highly sensitive data such as website usernames and passwords.
“These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture,” LastPass CEO, Karim Toubba, said in the update.
“As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass. The encryption and decryption of data is performed only on the local LastPass client.”
If customers use the LastPass default master password settings, it would take “millions of years” for the hackers to crack their credential, Toubba claimed.
“However, it is important to note that if your master password does not make use of the [password defaults], then it would significantly reduce the number of attempts needed to guess it correctly,” he added.
“In this case, as an extra security measure, you should consider minimizing risk by changing passwords of websites you have stored.”
Customers may also be facing a barrage of phishing attempts using unencrypted account details stolen by the hackers.
Among the data stolen here were “company names, end-user names, billing addresses, email addresses, telephone numbers and the IP addresses from which customers were accessing the LastPass service.”
Editorial credit icon image: Tada Images / Shutterstock.com