The August data leak at password manager LastPass was much worse than initially thought, according to a statement from the company. The hackers were able to steal personal data, including encrypted passwords, as well as user and organization names, physical addresses, emails, phone numbers, and IP addresses.
It was previously believed that the hackers had accessed LastPass’s cloud using data from a past hack. Still, the company has now revealed that the attackers were also able to extract the keys and credentials needed to download backups stored in the LastPass cloud.
Using a dual storage container decryption key and a cloud storage access key that was taken from Lastpass’ development environment, the attacker was able to access the company’s cloud storage. In addition, the hackers gained access to user storage, which includes URLs, encrypted logins and passwords, and autofill data.
LastPass emphasized that the most sensitive fields are protected by 256-bit AES encryption, which can only be bypassed with a key derived from the user’s master password. The company stated that hackers could only access accounts if they obtained the master key, making it important for users to make their master password as resistant as possible and not use it on other sites.
LastPass said that it is working with cybersecurity firm Mandiant to investigate the incident and is rebuilding its entire working environment. The company has also notified law enforcement and relevant regulators of the breach.
Users of LastPass are advised to make their master password at least 12 characters long, change the settings of the Password-Based Key Derivation Function (PBKDF2) key generation standard, and not use the same master password on other sites. The company has also provided more detailed recommendations in its blog.
Despite the data leak, LastPass remains one of the most popular password managers, with over 33 million people and 100,000 businesses worldwide. The company has also advised users to take additional security measures, such as enabling two-factor authentication, to protect their accounts.