Password management company LastPass is recommending some users without default master password settings enabled change their passwords of websites they have stored after new information was revealed about an August 2022 security incident.
This new information, posted on the company’s website on Dec. 22, stems from an August 2022 incident which was originally thought to only include access to portions of the LastPass development environment and source code through single compromised developer account.
On Nov. 30, the company said the threat actor used information obtained from the August incident to gain access to a third-party cloud storage service used by both LastPass and affiliate GoTo. The company says the unauthorized party accessed “certain elements” of customer information, but passwords remained “safely encrypted” due to the company’s Zero Knowledge architecture.
Now, the company says the hacker copied information from backup that contained “basic customer account information and related metadata,” such as company names, end-user names, billing addresses, email addresses, telephone numbers and the UP addresses from which customers were accessing the LastPass service.
In addition, the threat actor copied a backup of customer vault data from the encrypted storage container, which is stored in a proprietary binary form that contains both unencrypted data, such as websites and URLs as well as fully encrypted sensitive fields such as usernames, passwords, secure notes and form-filled data.
However, LastPass says these encrypted fields are secured with 256-bit encryption and can only be decrypted with a unique encrypted key derived from each user’s master password via the company’s Zero Knowledge architecture. The company reiterates that the master password is never known to LastPass and is never stored or maintained by the company.
In addition, there was no evidence that unencrypted credit card data was accessed, the company says.
The threat actor may attempt to brute force master passwords to decrypt copies of stolen vault data, or could choose to conduct phishing attacks, credential stuffing or other brute force activities against online accounts associated with their LastPass vault, but the company says its default master password settings and best practices should help protect against those activities.
LastPass says its default master password settings are designed to make it very difficult for hackers to guess master passwords using generally available password-cracking tools, and it would take “millions of years” to do so.
While the company doesn’t recommend any immediate action, users should consider changing passwords of websites they have stored if default settings are not in place.
Those defaults include a twelve-character minimum for master passwords, 100,100 iterations of the Password-Based Key Derivation Function (PBKDF2), and never reusing master passwords on other websites.
In addition, business customers not using Federated Login without default password policies in place should also consider changing stored passwords for websites.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!