A few weeks ago, LastPass admitted to having suffered a breach: today the company admits that hackers had access to personal information and that the “vaults” of passwords were stolen (which however remain encrypted without your Master Password). After stealing technical data from the platform, hackers attacked an employee and obtained credentials to steal encrypted data.
LastPass, personal information and password “safes” stolen
LastPass CEO Karim Toubba explained on the company blog in detail how the hackers hit the security system. The first attack, the one reported last November by LastPass, allegedly left user data untouched and instead stole technical information about the service and source code.
Armed with this information, the hackers would then target an employee, obtaining their credentials and password. Which they used to gain access to information stored in the cloud about customers and then decrypted it.
According to Toubba, this gave access to “usernames, billing addresses, email addresses, phone numbers, IP addresses from which they logged into LastPass.” In addition, they obtained encrypted information on “site names and passwords, secure notes and autofill fields”.
The good news is that password information remains encrypted: you need your Master Password (the one you access to the service) to unlock them. The bad news is that hackers have time to brute force or phish to get you to give them your password – be especially careful.
LastPass specifies that cracking your deliberately difficult Master Passwords of at least 12 characters would take millions of years of brute-force attempts. So by paying attention to phishing you should be on the safe side. The company has changed its infrastructure to ensure that these attacks do not happen again in the future.