/i/2004857332.png?fit=%2C&ssl=1)
Hackers who stole data from LastPass this summer stole users’ encrypted usernames and passwords. These are encrypted with AES-256 and the master password was not stolen during the attack. Passwords can be forced.
The attacker gained access to a customer vault data backup, which contains unencrypted data such as URLs and usernames, passwords, notes, and filled out at your place. This encrypted data can according to LastPass can only be decrypted with the master password. This password is not stored by LastPass.
That master password can be recovered with brute-force techniques and the encrypted data can still be read, acknowledges LastPass. The company says that if users followed LastPass’ recommendations, such as a 12-character master password, it would take millions of years for the password to be cracked “using today’s common brute-force techniques.”
LastPass then states that these users need not take any action. Only users who have shorter passwords, use them elsewhere, or whose passwords are not protected by LastPass’s latest implementation of the pbkdf2 algorithm are encouraged by LastPass to change their passwords on websites. LastPass increased its implementation of pbkdf2 to 100,100 iterations in 2018, but only for master passwords created thereafter.
The company doesn’t say how many customers are affected, only that it has approached “less than three percent” of all corporate customers with recommendations for action. For this, the company has examined the settings of these customers. Corporate customers who have not been contacted by LastPass should take no action, according to the company. The company says nothing about private customers.
Hackers gained access to users’ passwords after a previous hacking attack in August. In doing so, the attacker gained access to the LastPass development environment and source code and other technical information was stolen. This information was used by hackers to “target” an employee, obtain login credentials, and gain access to LastPass cloud storage.
The password manager it said earlier this month that customer data had been being viewed, including user or company names, addresses, email addresses, phone numbers, and IP addresses. So now LastPass recognizes that encrypted passwords have been stolen as well. LastPass says it has taken several steps to reduce the risk of a follow-up hack, including additional logging features, new development environments, and better developer account authentication. Law enforcement agencies and relevant regulatory authorities have been notified by LastPass. The company also warns users of phishing attempts following the hack.
