The customer vault data may be encrypted, but that does not mean that the data gathered by the hacker cannot be used for nefarious purposes. The encryption used requires a unique encryption key derived from each user’s master password, a password that is not known or stored by LastPass itself. In a blog post, LastPass pointed out that the encrypted fields remain secured with 256-bit AES encryption. In other words, the hacker stole a copy of encrypted password vaults. The threat actor also copied a backup of customer vault data from the encrypted storage container, which is stored in a proprietary binary format that contained unencrypted data, such as website URLs, and fully encrypted sensitive fields such as website usernames, passwords, secure notes and form-filled data. The data included company names, end-user names, billing addresses, email addresses, telephone numbers and the IP addresses from which customers were accessing LastPass.
The hacker had gained access using information obtained in a previous breach reported by LastPass in August.Īs part of its commitment to transparency, LastPass today provided an update on its investigation and that it discovered that the hacker, having gained access to the cloud storage, copied a backup that contained basic customer account information and related metadata. 1, saying at the time that a hacker had gained access to a third-party cloud storage service used by the company and affiliate GoTo Technologies USA Inc. Password manager LastPass US LP today revealed that a hacker who gained access to their systems last month copied data from a backup that contained customer account information.
0 kommentar(er)
