![]() It seems that when a password entry is created in LastPass, the URL, Name, Password Creation Time, Last Password Modification Time, Last Password Access Time, if the account is a favorite, if the password was auto-generated, and potentially Notes are not encrypted. The issue is the number of fields that are NOT encrypted. ![]() According to LastPass, encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using Zero Knowledge architecture. It seems there are two main issues with the stolen information. Soon after the notice was posted, security researchers started digging into the details of the incident to determine what exactly threat actors could do with the password vaults they copied. More importantly, the threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data. Information TakenĪccording to LastPass, stolen information included basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service. An update was published on Decemconfirming the acquisition of customer data by the threat actor. LastPass “determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information.” At the time, an investigation was ongoing to determine the scope of the incident. On November 30 th, LastPass published a notification about unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo. The forensic investigation was completed in September and LastPass notified users that no encrypted password vaults were taken. While the company notified users of the breach on August 25th, the organization stated only source code and some technical information were taken. The popular password manager, LastPass, had a breach in August of this year (2022).
0 Comments
Leave a Reply. |