Well, it’s bad. LastPass has lost a copy of customers’ encrypted password data to a hacker, who recently breached the company’s systems.
The hacker looted the password data by copying a “backup of customer vault data” from an encrypted storage container during the intrusion, LastPass said on Thursday.
The company supplied the update three weeks after it confirmed a breach that led to the hacker stealing customer information. At the time, it remained unclear what user data was ensnared, but now LastPass is revealing that the breach is about as bad as it can get.
The stolen vault data contained “fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data,” along with unencrypted website URLs.
LastPass is emphasizing that the stolen vault data remains protected because it’s been secured with 256-bit AES encryption. To decrypt the data, the hacker would need the vault’s master password—something only the customer should know. “As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass,” the company said.
The problem is that the hacker could exploit various ways to obtain a customer’s master password. This could involve trying to guess it by using brute-force attacks. However, LastPass says this would be incredibly hard to pull off if the customer had used a complex password. As a security measure, LastPass also requires a master password to be at least 12 characters long.
Still, the other way a hacker could steal a master password is by phishing customers. This could involve sending fake emails or text messages pretending to be LastPass in an effort to dupe unsuspecting users into giving up the login credential.
During the breach, the hacker also obtained “basic customer account information,” including email addresses, telephone numbers, billing address and IP addresses —making it easy for the culprit to target individual users.
So to guard against such phishing, LastPass is telling users: “It is important to know that LastPass will never call, email, or text you and ask you to click on a link to verify your personal information. Other than when signing into your vault from a LastPass client, LastPass will never ask you for your master password.”
The hacker was able to infiltrate LastPass by first stealing source code and technical data from the company back in August. The stolen information then paved a way for the culprit to hack a LastPass employee and lift their credentials and security keys to access files from the company’s cloud-based storage service.
The cloud-based storage operates separately from LastPass’s production IT systems. Nevertheless, it contains backups on the company’s data.
In response to the breach, LastPass is indicating it reset all corporate login credentials across the company. “We are also performing an exhaustive analysis of every account with signs of any suspicious activity within our cloud storage service, adding additional safeguards within this environment,” it said.
Even so, the hack risks undermining confidence in the password manager provider. LastPass is telling customers no recommended actions need to be taken if their master password is complex and follows best practices. But to be even more safe, affected users can consider changing any crucial passwords stored in their vault, and turn on the two-factor authentication over the applicable internet accounts.