LastPass Confirms Customer Password Vaults Were Accessed

LastPass Confirms Customer Password Vaults Were Accessed

LastPass, a popular password management service used by many to achieve cybersecurity nirvana, in August confirmed some of its internal source code had been stolen in a ‘security incident’.

LastPass at the time assured users of its service that no ‘master passwords’ had been compromised because they “never store or have knowledge of your master password”. Vault data, it said, was also safe.

In a blog post announcing the security incident, LastPass said it detected some “unusual activity” within portions of its development environment.

“After initiating an immediate investigation, we have seen no evidence that this incident involved any access to customer data or encrypted password vaults,” it said.

The company had determined, however, that an unauthorised party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information.

Today, it confirmed things are actually a hell of a lot worse than it thought.

“Based on our investigation to date, we have learned that an unknown threat actor accessed a cloud-based storage environment leveraging information obtained from the incident we previously disclosed in August of 2022. While no customer data was accessed during the August 2022 incident, some source code and technical information were stolen from our development environment and used to target another employee, obtaining credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service.”

In a blog post detailing the extent of the breach, CEO Karim Toubba said LastPass has determined that once the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from a backup that contained basic customer account information and related metadata. This related metadata included company names, end-user names, billing addresses, email addresses, telephone numbers and the IP addresses from which customers were accessing the LastPass service.  

There is a little bit of good news here. Toubba said customers’ password vaults that, while accessed, are encrypted and can only be unlocked with the individual’s master password (not something LastPass stores). However…

The threat actor may attempt to use brute force to guess your master password and decrypt the copies of vault data they took. Because of the hashing and encryption methods we use to protect our customers, it would be extremely difficult to attempt to brute force guess master passwords for those customers who follow our password best practices. We routinely test the latest password-cracking technologies against our algorithms to keep pace with and improve upon our cryptographic controls,” the blog continues.

Password managers — which are handy tools to store all your web credentials in one centralised, supposedly secure, location — have been known to have serious security vulnerabilities, the likes of which could hypothetically lead to hacking incidents. LastPass has had its fair share of these issues. If you cast your mind back a year ago, LastPass users were receiving emails from the company warning them of suspicious login attempts that were utilising their master password.

Obviously, this recent incident is not related to that, but a little bit of history never hurt anyone, especially when you’re trusting a third-party with protecting your personal information.

This article has been updated since it was first published.

The Cheapest NBN 50 Plans

It’s the most popular NBN speed in Australia for a reason. Here are the cheapest plans available.

At Gizmodo, we independently select and write about stuff we love and think you'll like too. We have affiliate and advertising partnerships, which means we may collect a share of sales or other compensation from the links on this page. BTW – prices are accurate and items in stock at the time of posting.