LastPass

LastPass is a private corporation in Delaware headquartered in Virginia, USA.

History

2022

Data theft of 33 million users

On December 22, 2022, the LastPass team, one of the world's most popular password managers, announced that the service hacker had been attacked: attackers managed to steal the data of millions of users.

LastPass - password storage program

The LastPass hack initially became known in August 2022. Then the service representatives said that the user information was not stolen, but the attackers gained access to certain source code and technical information from the service development environment. This data, as it now turns out, was used to attack one of the LastPass employees. As a result, credentials and keys were stolen, which provided cybercriminals with access to cloud storage and allowed them to decrypt some of the volumes located there.

Ultimately, hackers were able to steal a backup copy of the LastPass user database, which amounts to approximately 33 million. It contains information such as people's names and company names, email addresses, phone numbers, IP addresses, and some financial information.

LastPass emphasizes that only some information is available in clear text, in particular, the URL of websites. At the same time, personal user data, passwords and form filling data are protected by 256-bit encryption. To access them, you need a key generated based on a master password, which is known only to the user himself. Such a password must contain at least 12 characters, including lowercase and capital letters, as well as numbers. Attackers can try to find the right combination by brute force, but this, as LastPass notes, will take millions of years. However, there is another option: cybercriminals can use social engineering methods or phishing to obtain a master password from the user himself.^[1]

Source Code Hacking and Theft

The popular LastPass password manager, which is used by 33 million people, confirmed the hacking of the service. Source codes and confidential technical information were stolen from the platform, the company said at the end of August 2022.

The unauthorized party gained access to parts of the LastPass development environment through one compromised developer account, LastPass said in a statement.

LastPass reported hacking

The company said that hackers did not gain access to passwords, so users do not need to change them in their accounts.

The company generates and stores automatically generated passwords for several accounts, such as Netflix or Gmail. Thanks to the service, users can store passwords without having to enter their data manually when entering sites.

Passwords are encrypted by the AES-256 algorithm and stored in the "cloud" so that they can be synchronized between devices. LastPass has a form placeholder that allows you to enter passwords automatically.

According to Bloomberg, the hacking of the service became known in mid-August 2022. Allan Liska, an analyst at cybersecurity company Recorded Future, whose comment is quoted by the agency, noted that he was impressed by the imminent timing of the completion of the preliminary investigation of the hack: usually it takes more time for specialists to fully assess the situation and report it. The expert also found the company's statement that the attackers did not gain access to customer data convincing.

It will take time to fully determine the extent of the damage that may have been caused by the breach. However, at the moment, no negative consequences have been found for customers, the analyst said.[2]

Notes