LastPass: Hackers Stole Customers’ Encrypted Passwords, Other Sensitive Data

CEO Karim Toubba warns bad actors may launch phishing and other attacks against customers to get keys to decrypt data

In its latest update on a breach incident dating back to August, LastPass CEO Karim Toubba indicated in a post Thursday that a previously disclosed hack by unknown bad actors may have been worse than previously thought.

LastPass, a leading password manager, said it turns out customers’ encrypted and cryptographically hashed passwords as well as other personal information were obtained by the hackers, Toubba said Thursday.

In his statement, Toubba also gave more details about how the August incident and later suspicious activity by an unknown threat actor, as he reported in November, were indeed connected.

“While no customer data was accessed during the August 2022 incident, some source code and technical information were stolen from our development environment and used to target another employee, obtaining credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service,” Toubba wrote.

“To date, we have determined that once the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.”

The CEO added: “The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.”

Toubba emphasized that only customers, not LastPass, have the means to decrypt those protected passwords

“These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture.,” Toubba wrote.

“As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass.”

But Toubba warned customers that hackers may launch aggressive attempts to obtain the keys to unlock currently encrypted data.

“The threat actor may also target customers with phishing attacks, credential stuffing, or other brute force attacks against online accounts associated with your LastPass vault,” he wrote.

“In order to protect yourself against social engineering or phishing attacks, it is important to know that LastPass will never call, email, or text you and ask you to click on a link to verify your personal information,” Toubba wrote, addressing customers directly. “Other than when signing into your vault from a LastPass client, LastPass will never ask you for your master password.”

In November, LastPass and its Boston-based owner GoTo (formerly LogMeIn) acknowledged that their their shared cloud-storage service was hit by unknown hackers.

In a post in November, GoTo chief executive Paddy Srinivasan made no mention of an unauthorized party gaining access to some customers’ information, saying his firm was “investigating a security incident” and that “we are currently working to better understand the scope of the issue.”

A representative for GoTo could not be reached for comment Thursday evening.