In early December, the master password vault LastPass prompted a data breach, where LastPass confirmed that threat actors had access to portions of the company development environment through a single compromised developer account and stole parts of source code and some proprietary technical information.
Now LastPass revealed that attackers stole customer vault data after breaching its cloud storage service, which LastPass uses to store archived backups of its production data. The attacker accessed the cloud storage using information stolen during an August 2022 incident.
According to the blog post by the company's CEO, Karim Toubba stats," once the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from the backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service. "
LastPass noted that the threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.
However, these encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass. The encryption and decryption of data are performed only on the local LastPass client.
The company mentioned that there is no evidence that any unencrypted credit card data was accessed, as LastPass does not store complete credit card numbers and credit card information.