In the original report about the data breach incident discovered in August, LastPass said that “only” the company’s source code and proprietary information were compromised. Users’ data and passwords remained safe and unsoiled. Now, a follow-up security notice on that same incident is saying otherwise: the malicious actors were able to access some users’ data too. The black hat hackers obtained the cloud storage access key and dual storage container decryption keys, LastPass says. With the stolen keys, they were able to further compromise the platform’s security by copying a backup that contained “basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.” The cyber-criminals were also able to copy a backup of customer vault data from the encrypted storage container, which is stored in a proprietary binary format. The container includes both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.
However, LastPass said, the encrypted fields “remain secure” even when in cyber-criminals’ hands, as they were generated with a 256-bit AES-based encryption algorithm and “can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture.” Zero Knowledge means that LastPass doesn’t know the master password needed to decrypt the data, while decryption itself is performed only on the local LastPass client and never online. As for credit card data, LastPass partially stores it in a different cloud environment. And there are no indications that such data was accessed – so far, at least. All things considered, LastPass is trying to send the message that, despite the extended breach of the company’s platform, users’ encrypted data should still be safe from any nefarious intent. That’s not like saying that there are no risks or dangers coming from the breach, however. A very determined malicious actor could try to brute-force the encrypted passwords, LastPass says, even though the attempt would be “extremely difficult” as the company routinely tests “the latest password cracking technologies against our algorithms to keep pace with and improve upon our cryptographic controls.” There could be additional risks concerning phishing attacks or brute-forcing attacks against online accounts associated with users’ LastPass vaults. In this case, LastPass remarked that they will never call, email, or text a user and ask them to click on a link to verify their personal information. They will never ask to know a vault’s master password, either. As an extreme security measure, users of the online password manager are advised to change their master password and all the passwords stored in the vault anyway.