LastPass confirms that the security breach resulted in the theft of encrypted data from its clients’ vaults

Dec. 23 (Portaltic/EP) –

LastPass has confirmed that the security breach reported last August, through which it was detected that a third party had accessed its development environment, resulted in the theft of encrypted data included in its clients’ vaults.

LastPass is a secure password manager that stores all usernames and passwords in a protected environment, called a vault. This is the central axis of all the stored data, so that, as soon as the service saves a password, it will always remember it when logging into a web page.

In August of this year, this ‘online’ password manager reported a security incident whereby a third party accessed its development environment, without affecting the data or credentials saved by users.

However, the company posted an update on this case and has confirmed that, although he initially stated that the personal information of the users had not been compromised, the attacker did take advantage of said security breach to steal part of your code and technical information and access information stored in your cloud storage service.

In fact, this malicious actor not only accessed such customer information, but also carried out a copy of your existing cloud backup. This backup contained basic customer account information.

Among the stolen data were company and user names, billing addresses, email addresses, Telephone numbers And till IP addresses from which customers accessed the LastPass service, as reported in a statement.

On the other hand, the company has also indicated that hackers they were able to back up the data from the customers’ vault. They were also able to access unencrypted data such as URL of your websites. However, he also had access to data “fully encrypted” and confidential, Like the usernames from the website, passwords, secure notes Y completed forms.

In this sense, the password manager has insisted that these fields are encrypted and they remain protected with 256-bit AES encryption, a system that guarantees that, despite having been stolen, they cannot be used.

“They can only be deciphered with a unique encryption key derived from the master password of each user”, he pointed out, emphasizing that for its unlocking a unique encryption key is necessary that depends on the master password and that is achieved through its Zero Knowledge architecture.

On the other hand, LastPass has communicated that “there is no evidence” that any unencrypted credit card data was accessed, and has advanced that your system does not store full credit card numbers. What’s more, customer card information is not archived in this cloud storage environment.

Thus, LastPass has insisted that even if cybercriminals “attempted to use brute force” to guess master passwords and decrypt data from client vaults, “it would be extremely difficult” due to the ‘hashing’ and encryption methods used by the company.

We routinely test the latest password cracking technologies against our algorithms to keep up with and improve our cryptographic controls. LastPass CEO Karim Toubbawho signs this statement.

POSSIBLE ‘PHISHING’ ATTACKS

Due to this ruling, Toubba has alerted customers that criminals could launch phishing attacks to try to decrypt the stolen data that you cannot access due to the aforementioned protection system.

For this reason, it has indicated that the company will never contact its customers via phone call, email or text message in which they are urged to verify their personal information through a link.

In any case, he has encouraged his clients to change your current LastPass Master Password to a new, unique password. It has also indicated that it is important not use under no circumstances douche credential on other websites.

In this context, Toubba has stated that the company is taking precautions to avoid attacks of these characteristics in the future. Thus, it has stressed that it has added additional registration and alert capabilities to help detect unauthorized activities and that it has strengthened the authentication mechanisms of developers.