In November, LastPass, one of the largest password managers, said that there had been a data breach in the company’s servers where attackers accessed some parts of the stored customer information, which as per the company was not something of importance. LastPass was already under criticism as the company was hacked in August of this year. And just three months later, it was reporting a second data breach. At that time, LastPass did not reveal what kind of customer information was accessed during the August and November breach. Instead, the company said that the attackers were able to access some parts of their source code and some encrypted customer information. But now, LastPass has said that the information which was accessed during these data breaches was the encrypted customer information, which the attackers can decrypt based on the source code and other information which attackers stole during the data breaches.
Data breaches have always been a massive problem for the general public rather than the companies which get breached. A similar can be said about the LastPass data breach, where people store passwords for all of their important accounts. Now the attackers who hacked LastPass servers now have important customer information along with their passwords at their disposal. Although these passwords were encrypted with the company’s advanced encryption system, if the attackers find a way to decrypt this data, they can have access to the accounts of thousands of people who were using LastPass for managing their passwords. This news is coming as the Christmas weekend is almost on the verge, when people expect to have a relaxing time during their winter holidays. But this news has created a situation of panic for the LastPass users.
LastPass made a blog post to announce the current situation on its website. In this blog post, LastPass first agreed that during the data breach that occurred in August 2022, information related to the source code and internal matters was stolen by the attackers. Further, LastPass said that this information was then used by the attackers to target one of LastPass employees to access their account on company servers. Through this, the attackers were able to access and decrypt several storage volumes stored on their cloud-based storage service. LastPass uses the cloud-based storage service for spring valuable information such as backups and residency requirements. The company said that this service is separated from its production environment. LastPass admitted that after obtaining the cloud storage access key and dual storage container decryption keys, the attackers were and decrypt storage volumes involving company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses of the devices which LastPass users used to access the LastPass services. LastPass said that the storage vault which attackers accessed also contained large amounts of unencrypted data like website URLs and encrypted data including sensitive information such as website usernames and passwords, secure notes, and form-filled data. Although the company is saying that the data which was stolen was completely encrypted and is safe, only the attackers can now tell how much information they were able to successfully obtain from LastPass servers.
