HomeStrategyPoliticsLastPass Confirm Hackers Stole Customer Passwords in Recent Admission

LastPass Confirm Hackers Stole Customer Passwords in Recent Admission


The data breach which hit password manager LastPass this August was more serious than earlier perceived, and involved customer passwords being stolen, the company admitted in a latest update on the situation.

In the August hack, the company claimed that a threat actor gained internal access to its systems for a period of four days, and was able to steal a portion of the password manager’s source code as well as technical information. After conducting an investigation, the company saw “no evidence” that the hacker was able to access customer data or encrypted password vaults, the firm initially claimed. But in its update on Dec. 22, the company admitted to customer data being affected by the breach.

The threat actor was able to copy “a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data,” the company said.

The hacker also copied information from backup that contained basic customer account information and related metadata, including end-user names, email IDs, telephone numbers, billing addresses, and company names. IP addresses using which customers were accessing the LastPass service were also copied.

The company claims that the encrypted fields “remain secured” with 256-bit AES encryption, and that it can only be decrypted using a unique encryption key created from each user’s master password using LastPass’s Zero Knowledge architecture.

The company neither knows the master password nor does it store or maintain it, according to the post. There is “no evidence” that any unencrypted credit card data were accessed by the threat actor.

Password Safety

Since 2018, LastPass has required master passwords to be at least 12 characters in length at a minimum, which would minimize the possibility of brute force password guessing becoming successful.

The company uses a “stronger-than-typical implementation of 100,100 iterations of the Password-Based Key Derivation Function (PBKDF2),” which is a password-strengthening algorithm that makes it difficult to guess the master password. The firm also asks users never to reuse their master passwords on other services.

If customers have followed these instructions, LastPass estimates that it would take “millions of years” to guess the master password by current cracking technologies. For such customers, the company does not recommend any actions that need to be taken at this point in time.

Customers who have not followed the instructions have been recommended “as an extra security measure” to change the passwords they have stored with LastPass.

“This remains an ongoing investigation. We have notified law enforcement and relevant regulatory authorities of this incident out of an abundance of caution … In the meantime, our services are running normally, and we continue to operate in a state of heightened alert,” the post said.

Founded in 2008, LastPass is headquartered in Boston, Massachusetts, and generated a revenue of $200 million in 2021. It accounts for 21 percent of the password manager market in the United States.

On Nov. 30, the firm had reported its second security incident for the year, with unusual activity detected within a third-party cloud storage service that it shares with its affiliate GoTo.

Naveen Athrappully

Naveen Athrappully is a news reporter covering business and world events at The Epoch Times.



Source link

NypTechtek
NypTechtek
Media NYC Local Family and National - World News

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Must Read