The LastPass security breach in August 2022 may have been more serious than the company previously disclosed.
On Thursday, a popular password management service said malicious actors used data siphoned from previous intrusions to obtain mountains of personal information belonging to its customers, including encrypted password vaults. clarified.
Among the stolen data was “basic customer account information, including company name, end-user name, billing address, email address, phone number, and the IP address from which the customer was accessing the LastPass service. associated metadata” was included. Said.
The August 2022 incident is the subject of an ongoing investigation and involved malicious individuals accessing source code and proprietary technical information from a development environment via one compromised employee account .
LastPass said this allowed an unidentified attacker to obtain credentials and keys that were then used to extract information from backups stored on a cloud-based storage service.
Additionally, the attackers allegedly copied customer vault data from an encrypted storage service. A “proprietary binary format” containing both unencrypted data such as his URL for a website, and fully encrypted fields such as website usernames and passwords, secure notes and form input data is saved in .
According to the company, these fields are protected using 256-bit AES encryption, and users master password on the user’s device.
LastPass confirmed that access to unencrypted credit card data was not related to security lapses, as this information was not archived in a cloud storage container.
The company didn’t say how recent the backups were, but warned that attackers “could try to guess your master password by brute force and try to decrypt the copy of the vault data they got.” , social engineering and credential stuffing attacks.
It is worth noting at this stage to predict the success of the brute force attack. master password Inversely proportional to strength. In other words, the easier it is to guess a password, the fewer attempts it takes to crack it.
“If you reuse your master password and that password is compromised, a threat actor may attempt to access your account using a dump of compromised credentials already available on the Internet.
The fact that the website URL is in plaintext means that successful cracking of the master password could allow an attacker to recognize which website a particular user has an account on, allowing additional phishing attacks and credential information. It means that you can launch a theft attack.
The company further said it notified a small subset (less than 3%) of its business customers to take certain and unspecified actions based on their account configuration.
The development comes days after Okta admitted that attackers gained unauthorized access to its Workforce Identity Cloud (WIC) repository hosted on GitHub and copied the source code.
