The security breach of LastPass in August 2022 may have been more severe than previously disclosed.
The popular password management service disclosed on Thursday that malicious actors obtained a trove of personal data belonging to its customers, including their encrypted password vaults, by stealing data from an earlier intrusion.
The stolen information includes company names, end-user names, billing addresses, email addresses, telephone numbers, and IP addresses from which customers accessed the LastPass service, according to the company.
The August 2022 incident, which is still under investigation, involved the unauthorized access of source code and proprietary technical information from the company’s development environment through a single compromised employee account.
This, according to LastPass, allowed an unidentified attacker to obtain credentials and keys, which were then used to extract data from a backup stored in a cloud-based storage service, which is physically distinct from its production environment.
In addition, it is believed that the adversary copied customer vault data from the encrypted storage service. It is stored in a “proprietary binary format” that includes both unencrypted data, such as website URLs, and fully-encrypted fields, such as website login credentials, secure notes, and form-filled data.
The company explained that these fields are encrypted with 256-bit AES and can only be decoded with a key derived from the users’ master password on their devices.
LastPass confirmed that the security breach did not involve unauthorized access to unencrypted credit card information, as such data was not stored in the cloud storage container.
The company did not disclose how recent the backup was but warned that the threat actor “may attempt to use brute force to guess your master password and decrypt the copies of vault data they took,” in addition to launching social engineering and credential stuffing attacks against customers.
It is important to note at this point that the success of brute-force attacks to guess master passwords is inversely proportional to their strength, i.e. the easier the password is to guess, the fewer attempts are required to crack it.
“If you reuse your master password and that password was ever compromised, a threat actor could use publicly available dumps of compromised credentials to attempt to access your account,” LastPass warned.
Because website URLs are stored in plaintext, a successful decryption of the master password could provide attackers with a sense of the websites where a specific user has accounts, allowing them to launch additional phishing or credential theft attacks.
Based on their account configurations, the company informed a small subset of its business customers, amounting to less than 3 percent, to take unspecified action.
The development occurs days after Okta disclosed that threat actors accessed its Workforce Identity Cloud (WIC) repositories hosted on GitHub and copied the source code.