Earlier this year, Lastpass was attacked twice. The first incident happened in August - we posted available information about the incident and its investigation in our blog posts. Then, in autumn, the attacker tried again, using the information gathered during the first attempt. The LastPass CEO Karim Toubba shared some detail regarding the incident in a recent blog post.
According to his report, the attacker obtained the cloud storage access key and dual storage container decryption keys and then copied information from a backup. This backup contained customer information, including company names, user names, billing addresses, email addresses, phone numbers, and client IP addresses. In addition, the attacker copied a backup of customer vault data that contains unencrypted URLs and encrypted sensitive fields (usernames, passwords, secure notes, and form-filled data).
LastPass emphasized that the encrypted data is protected with 256-bit AES encryption, so it can only be decrypted using the user’s master password. So, it is important to keep your password secret and avoid using it or writing it anywhere except your LastPass client.
In addition, it is recommended to minimize the risk by updating the passwords to websites stored in LastPass.
Image Credit: Photo by FLY:D on Unsplash