LastPass disclosed on Thursday that hackers obtained users’ encrypted password vaults where they stored customer passwords and other sensitive information in a data breach in August of this year.
In an updated blog post about the data breach, LastPass CEO Karim Toubba said the attackers used a cloud storage key obtained from a LastPass employee to access backups of customer vault data.
At the time, the company said the attackers had gained unauthorized access to parts of the password manager development environment through a single hacked developer account and stole certain confidential LastPass technical data along with some source code. However, customers’ master passwords, encrypted passwords, personal data and other data stored in client accounts were not affected, LastPass claimed at the time.
In November, LastPass announced that it had discovered an intrusion that may have used data obtained from a security incident in August. Toubba said the intrusion could allow malicious actors to “access certain elements” of client data.
In its latest update on Thursday, the company said hackers could actually gain access to customers’ billing addresses, email addresses, phone numbers, company names, end-user names and IP addresses used to access the LastPass service.
Hackers also stole backups of customer store data, which contained encrypted data such as website usernames and passwords, secure notes, and form-filling data, and unencrypted data such as website URLs.
According to LastPass, users’ password vaults are encrypted and can only be accessed with the user’s master password, which is for personal use.
However, the company warned customers that the hackers who carried out the attack could try to use brute force to guess the master password and decrypt the obtained copy of the vault data.
There is currently no evidence that unencrypted credit card data has been accessed by hackers. LastPass said it does not store complete credit card data, and the data it stores is kept in a separate cloud storage environment from that accessed by threat actors.
According to LastPass, as of 2018, the minimum requirement for master passwords is 12 characters, which significantly reduces the chances of a successful brute-force password guess.
The company strongly recommends that users never reuse their Master Password on any other website.
“If you reuse your master password and that password has ever been hacked, a threat actor could try to access your account using compromised credential dumps already available on the internet,” he said.
Customers are also advised to be particularly wary of phishing emails and phone calls claiming to be from LastPass or other services and ask users to disclose sensitive information.
LastPass also has specific instructions for business customers using the LastPass unified login service.
Frequent customers who do not use federated login and master passwords do not use the suggested settings, be aware that hackers may require fewer attempts to correctly guess the master password.
In this case, as an additional security measure, we recommend that you change the passwords for the websites you have saved to minimize the risk.