look out LastPass Account holders. A blog post this week released new information related to a hack that took place earlier this year. At the time, the hack wasn’t news to us (we’re just an Android blog), as LastPass reported that the hacker had simply gained access to the developer’s test environment and some source code. However, due to this hack, an event recently occurred in which a hacker was able to compromise a LassPass employee’s account and gain access to much more information.
According to LastPass, someone was able to access encrypted customer vault data backups. This storage data contains everything that a user can store in the service. We’re talking about usernames, passwords, banking information and everything else. For a hacker, this could be a vein.
These vaults are encrypted with some serious security, according to LastPass, meaning that nothing should have access to this stolen data except for the user’s master password. Luckily, LastPass doesn’t store these master passwords, so as long as a hacker can’t break into the vault (guess the correct password), the most sensitive user data should remain safe.
I’m not a security expert, so let LastPass better explain what’s going on.
To date, we have determined that after obtaining the cloud storage access key and dual storage decryption keys, the attacker copied information from a backup that contained basic customer account information and associated metadata, including company names, end user names, billing addresses, addresses email, phone numbers, and IP addresses from which customers accessed the LastPass service.
The attacker was also able to copy a backup of customer storage data from an encrypted storage container that is stored in a proprietary binary format that contains both unencrypted data such as website URLs and fully encrypted sensitive fields such as website usernames. . and passwords, secure notes, and form-filled data. These encrypted fields remain protected with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our zero-knowledge architecture. As a reminder, the Master Password is never known to LastPass, stored or maintained by LastPass. Encryption and decryption of data is performed only on the local LastPass client.
There is no evidence that any unencrypted credit card data was accessed. LastPass does not store full credit card numbers and credit card information is not archived in this cloud storage environment.
What should you do
While a LastPass user uses the company’s best practices when choosing a master password, the company states that “it would take millions of years to guess your master password using publicly available password cracking technology.” This is reassuring. However, if you’re a little worried about your information, you can start changing your passwords. This is if you want to play it safe.
For more information on what happened and what LastPass is doing about it, follow the link below.