LastPass is a password management service that has recently made the announcement for hackers who have stolen encrypted copies of customer passwords and other sensitive data such as billing addresses, phone numbers, and IP addresses. At that time, the company said that they had not received any proof evidence that the hackers had access to customer data or encrypted password vaults.
But it has been stated that source code and technical information were stolen as part of that hack and were used to target another employee. The hackers were able to obtain credentials and keys to access and decrypt the code of data stored on a third-party cloud storage space.
The hacker was capable enough to make the copy of things such as basic customer account information, including email addresses and the IP addresses from which customers accessed LastPass, and fully-encrypted sensitive fields, including the website usernames, passwords, secure notes, and form-filled data.
Password managers were actively available for customers for the storage of usernames and passwords in one place and could be accessed using a master password. The company mentioned that the master password isn’t known to LastPass, nor is it stored or maintained by the company.
The other encrypted data can only be decrypted with a unique encryption key derived from each user’s master password.
The sort of warning is given to customers by LastPass that they could be targeted for social engineering, phishing attempts, and many more.
The company also said that threat actors might attempt to use brute force to guess your master password and decrypt the copies of vault data they own. Due to the hashing and encryption methods LastPass use to protect its customers. It would be extremely difficult for the hackers to attempt to brute force guess master passwords for those customers who follow our password best practices.
For the followers of LastPass, it would take millions of years to guess their master password using generally available password-cracking technology.
The company has also recruited employees from the cybersecurity firm Mandiant to investigate the breach. LastPass is also rebuilding its entire development environment from scratch; it acts as an indication that hackers have thoroughly compromised the company’s sensitive systems.
According to LastPass, the investigation is continuing, and it has notified law enforcement and “relevant regulatory authorities.”