Lastpass: Hackers stole customer vault data in cloud storage breach

LastPass today revealed that hackers stole vault data from customers after they breached its cloud storage this year. They used information taken during the August 2022 attack.

The update follows an earlier one last month, in which Karim Toubba (CEO) stated that the threat actor had gained access “certain elements” to customer data.

Toubba updated the original statement to say that Lastpass’ cloud storage could be accessed with “cloud storage acces key” and “dual storage container encryption keys”, stolen from Lastpass’ developer environment.

Toubba stated today that the threat actor had copied customer information from backup. This information included basic information such as company names and end-user numbers. It also contained billing addresses and email addresses. He also provided metadata, including telephone numbers and IP addresses.

The threat actor also was able to obtain a backup customer vault data from an encrypted storage container. This proprietary binary format contains both fully-encrypted and unencrypted fields, including website URLs.

Some vault data that was stolen is now “safely encrypted”.

The encrypted data can be decrypted only with an unique encryption key that is derived from the master password of each user.

Toubba claims that the master password was never given to LastPass. It isn’t stored in LastPass’ systems and LastPass doesn’t keep it.

Customers were warned by the attackers that they might attempt to force them to change their master passwords in order to access the encrypted vault data stolen.

This would however be extremely difficult and time-consuming for those who have been following as recommended by LastPass.

Toubba said that it would be difficult to crack your master password with the generally available password-cracking technology.

LastPass’ Zero Knowledge architecture ensures that your sensitive vault data such as passwords, usernames, forms, attachments, notes and secure notes are protected.

Two times in one year

After , which confirmed that the cloud storage environment had been compromised using a compromised developer accounts, this is now the second security breach disclosed by the company.

Lastpass published August’s advisory days following BleepingComputer reaching out. They received no reply to our questions about possible breaches.

Lastpass sent emails to its customers confirming that the attackers had stolen proprietary technical information as well as source code.

In an update to the original post, that the attacker responsible for the August breach had internal access to the company’s systems for at least four days before being expelled.

LastPass claims that its password management software has been used by over 33 million users and 100,000 companies worldwide.