head up, last pass Account owner. A blog post this week revealed detailed, new information linked to a hack that occurred earlier this year. At the time, the hack wasn’t exactly newsworthy for us (we’re just an Android blog), as LastPass said a hacker only got access to a developer test environment and some source code. However, because of that hack, a subsequent event recently occurred where hackers were able to compromise LassPass employee accounts and gain access to more.
As detailed by LastPass, someone was able to gain access to encrypted backup copies of customer vault data This vault data contains everything a user can store with the service We’re talking about account usernames, passwords, banking information, and everything else For a hacker, it can be loaded with mom.
According to LastPass, these vaults are encrypted with some serious security, meaning the user should not be able to access this stolen data without a master password. Fortunately, those master passwords are not stored by LastPass, so as long as the hacker is unable to force-pass the vault (assuming a correct password), the most sensitive user data should be safe.
I’m not a security expert so I’ll let LastPass better explain what’s going on
To date, we have determined that once the cloud storage access keys and dual storage container decryption keys were obtained, the threat actor copied information from backups that contained primary customer account information and related metadata, including company name, end user name, billing address. The email address, telephone number and IP address from which customers were accessing the LastPass service.
The threat actor was able to copy a backup of Customer Vault data from an encrypted storage container that is stored in a proprietary binary format that contains both encrypted data such as website URLs, as well as fully-encrypted sensitive fields such as website usernames. and passwords, secure notes, and form fill data. These encrypted fields are protected with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our zero-knowledge architecture. As a reminder, master passwords are never known to LastPass and are not stored or maintained by LastPass. Encryption and decryption of data is performed only in the local LastPass client.
There is no evidence that any encrypted credit card data was accessed. LastPass does not store full credit card numbers and credit card information is not stored in this cloud storage environment.
what should you do
As long as a LastPass user uses the company’s best practices in choosing a master password, the company says, “It would take millions of years to guess your master password using commonly-available password-cracking technologies.” That’s reassuring. However, if you’re a little worried about your information, you might want to start changing your password. If you want to be overly safe.
For more information on what happened and what LastPass is doing about it, follow the link below.