Lastpass, a password management app that suffered a hack in August, announced on Thursday that the extent of the damage was far greater than previously reported. Hackers were able to obtain users’ password vaults in some cases, which means that they have access to people’s entire collections of encrypted personal data, although they do not have the means to immediately unlock it. The encrypted data that was obtained by the hackers included basic customer account information such as company names, billing and email addresses, IP addresses, and telephone numbers. According to Lastpass, these encrypted fields are secured with 256-bit AES encryption and can only be decrypted with a unique encryption key that is derived from each user’s master password using the company’s Zero Knowledge architecture. The master password is not known to Lastpass and is not stored or maintained by the company.
“No customer data was accessed during the August 2022 incident,” LastPass CEO Karim Toubba, explained. However, some of the app’s source code was lifted and then used to spearphish a Lastpass employee into giving up their access credentials, then used those keys to decrypt and copy off, “some storage volumes within the cloud-based storage service.”