LastPass provides another update on the security breach it suffered in August.
CEO Karim Toubba wrote in a blog post that the hacker copied information from a cloud-based storage service using the stolen cloud storage access key and dual storage container decryption keys.
The copied information includes basic account information such as company names, end-user names, billing addresses, email addresses, telephone numbers, and the I.P addresses from which customers were accessing the LastPass service.
The hacker also managed to copy a backup of customer vault data which contains unencrypted data (e.g. website URLs) and fully-encrypted sensitive fields (e.g. website user names/passwords, and secure notes).
LastPass reiterates the encrypted fields are secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from the user's master password. As LastPass deploys a Zero Knowledge architecture, the master password is never known to the company and is not stored or maintained by the company.
Nonetheless, LastPass says the hacker might use brute force to guess the master passwords and decrypt the copies of vault data. It would be extremely challenging for the hacker to guess the master passwords if customers follow the password best practices (e.g. minimum of 12 characters, combination of upper/lower case/numeric/special characters, a passphrase).
LastPass claims it will take millions of years to guess the master password if customers follow its password best practices, and if the hacker uses generally-available password-cracking tools.
The hacker might target customers with phishing attacks, credential stuffing or other brute force attacks against online accounts associated with the LastPass vault.
La ..
Support the originator by clicking the read the rest link below.
