LastPass: Hackers stole customers’ encrypted passwords

Spread the love

The hackers who stole data from LastPass this summer stole users’ encrypted usernames and passwords. These are encrypted with AES-256 and the master password was not stolen in the attack. The passwords can be bruteforced.

The hacker gained access to a backup of customers’ vault data, which contains unencrypted data such as URLs and encrypted usernames, passwords, notes, and form-filled data. This encrypted data can according to LastPass can only be decrypted with the master password. LastPass does not store this password.

That master password can be retrieved using brute force techniques and the encrypted data could still be read, LastPass acknowledges. The company says that if users followed LastPass’s recommendations, such as a 12-character master password, it should take millions of years for the password to be bruteforced “based on current prevailing bruteforce techniques.”

LastPass therefore says that these users do not need to take any action. Only users who have a shorter password, use it elsewhere, or whose password is not protected with LastPass’ latest pbkdf2 algorithm implementation will be advised by LastPass to change website passwords. LastPass increased its pbkdf2 implementation to 100,100 iterations in 2018, but only for master passwords created afterward.

The company does not say how many customers have been affected, only that it has approached ‘less than three percent’ of all business customers with advice to take action. To do this, the company looked at the settings of these customers. Business customers who have not been contacted by LastPass do not need to take any action, according to the company. The company says nothing about private customers.

The hackers gained access to user passwords after a previous hacking attack in August. The hacker gained access to the LastPass developer environment and source code and other technical information was stolen. The hackers used this information to “target” an employee, obtaining login credentials to gain access to LastPass cloud storage.

The password manager said earlier this month that customer data had been accessed, including user or company names, addresses, email addresses, telephone numbers and IP addresses. LastPass now acknowledges that encrypted passwords were also stolen. LastPass says it has taken several steps to reduce the risk of a follow-up hack, including additional logging capabilities, new development environments and better authentication of developer accounts. Police services and relevant supervisors have been notified by LastPass. The company is also warning users about phishing attempts following the hack.

You might also like
Exit mobile version