AppleInsider may earn an affiliate commission on purchases made through links on our site.
LastPass informs users that the August data breach gave hackers access to users' names, addresses, and data vaults.
On November 30, LastPass notified users that it was investigating an August "security incident" leading to user data theft.
Now, the LastPass CEO Karim Toubba has posted a blog informing users of the extent of what was stolen.
"To date, we have determined that once the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service," the blog post reads.
The hacker also created a copy of customer vault data, which the company maintains is "stored in a proprietary binary format." Some vault data, like website URLs, is not encrypted. Other data, like usernames and passwords, are "secured with 256-bit AES encryption," which the company maintains cannot be decrypted by hackers.
"[Encrypted data] can only be decrypted with a unique encryption key derived from each user's master password using our Zero Knowledge architecture," Toubba writes. "As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass."
While the company claims that it would be highly unlikely that the hackers could decrypt the data, it warns users that they could be targeted by phishing or ..
Support the originator by clicking the read the rest link below.
