There is no evidence that any unencrypted credit card data was accessed. The encryption and decryption of data is performed only on the local LastPass client. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass. The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data. These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture. To date, we have determined that once the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service. I’m not a security expert so I’ll let LastPass better explain what’s happening. Thankfully, those master password’s are not stored by LastPass, so as long as the hacker is unable to brute force into the vault (guessing a correct password), most sensitive user data should remain safe. For a hacker, it could be the mother lode.Īccording to LastPass, these vaults are encrypted with some serious security, meaning nothing should be able to access this stolen data with exception to a user’s master password. We’re talking account usernames, passwords, banking information, and everything else. That vault data is what contains everything a user might store with the service. However, due to that hack, a subsequent event recently took place in which the hacker was able to compromise a LassPass employee’s account and gain access to much, much more.Īs detailed by LastPass, someone has been able to gain access to encrypted backup copies of customer vault data. At that time, the hack wasn’t exactly newsworthy for us (we’re just an Android blog), as LastPass said that a hacker merely gained access to a developer test environment and some source code.
Detailed in a blog post this week, new information is being released that is tied to a hack that took place earlier this year.
0 kommentar(er)
