LastPass provides an update on security breach

LastPass has provided an update on a security breach of internal source code and sensitive documents previously disclosed this past August.

LastPass issued a statement regarding the issue on December 22, 2022 that involves the theft of employee credentials and access to cloud-based backup storage:

“Based on our investigation to date, we have learned that an unknown threat actor accessed a cloud-based storage environment leveraging information obtained from the incident we previously disclosed in August of 2022. While no customer data was accessed during the August 2022 incident, some source code and technical information were stolen from our development environment and used to target another employee, obtaining credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service.”

Moreover, LastPass confirmed the threat actor also gained access to a backup copy of customer account data to include company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.  

However, LastPass confirmed other sensitive data accessed (such as website usernames/passwords, secure notes, and form-filled data) was fully encrypted using 256-bit AES encryption. In addition, no master account passwords nor credit card numbers were stolen.

As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass. The encryption and decryption of data is performed only on the local LastPass client,” LastPass further added.

LastPass also assured customers who have implemented LastPass’ default master password settings and best practices, “it would take millions of years to guess your master password using generally-available password-cracking technology.”

Related Articles