The password manager Lastpass announced on Thursday that, after once again getting hacked this August, the most recent intrusion had been more severe than first reported, with attackers stealing users' password vaults in some instances. In other words, the hackers have people's entire collections of encrypted personal data, if not an immediate means to unlock them, Endgadget reported. LastPass CEO Karim Toubba confirmed that no customer data was accessed during the August 2022 incident. Source code from the app was lifted and then used to spearphish a Lastpass employee into giving up their access credentials, which were then used to decrypt and download "some storage volumes within the cloud-based storage service," he told the outlet. The hackers obtained basic customer account information, including company names, billing addresses, email addresses, IP addresses, and telephone numbers, Toubba added.
"These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user's master password using our Zero Knowledge architecture," Toubba said. "As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass." According to Toubba, the company detected unusual activity within a third-party cloud storage service it shares with its parent, GoTo, which was formerly LogMeIn. Using information obtained from LastPass' security breach in August this year, they determined the unauthorized party gained access to LastPass' cloud service. LastPass has partnered with security firm Mandiant to investigate the incident, Engadget reported.
We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate GoTo. Customer passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture. More info: https://t.co/xk2vKa7icq pic.twitter.com/ynuGVwiZcK— LastPass (@LastPass) November 30, 2022
In August, after LastPass was hacked, Toubba admitted that an unauthorized party had access to the company's systems for four days after the hack. LastPass reported that customer data and encrypted password vaults remained untouched after the hacker stole some of the password manager's source code and technical information. Apparently, the hacker had limited access to the service's development environment. LastPass said customers' passwords remain encrypted, despite the unauthorized party being able to access some user information this time, the outlet noted. According to GoTo, bad actors gained access to its development environment through remote work and collaboration tools. In the same vein as LastPass, the company has assured customers that its products and services remain fully functional. In the coming months, more details about the incident will likely emerge as the password manager and its parent company continue investigating its scope.