"LastPass: Customer Vault Data Was Taken"

Password management giant LastPass has recently revealed that hackers that breached the firm in August made off with encrypted customer vault data and unencrypted account information.  The update comes after the firm initially said that the incident only resulted in a breach of "source code and some proprietary LastPass technical information." The company stated that the August incident resulted in hackers getting hold of "source code and technical information" from the firm's development environment, which were subsequently used to target another employee.  This way, they got hold of credentials and keys that were then used to access and decrypt some storage volumes within the firm's cloud-based storage service.  The company noted that this included a backup of customer vault data, including unencrypted data such as website URLs and fully encrypted and highly sensitive data such as website usernames and passwords.  The company stated that these encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user's master password using their Zero Knowledge architecture.  The company noted that the master password is never known to them and is not stored or maintained by them.  The encryption and decryption of data is performed only on the local LastPass client.  The company claimed that if customers use the LastPass default master password settings, it will take "millions of years" for the hackers to crack their credentials.  However, it is important to note that if one's master password does not make use of the password defaults, then it would significantly reduce the number of attempts needed to guess it correctly.  Among the data stolen were company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.

Infosecurity reports: "LastPass: Customer Vault Data Was Taken"