Information on the LastPass data breach (currently available)
In August 2022, an unidentified threat actor gained access to LastPass' cloud-based storage environment and encrypted password vaults. According to LastPass, the encrypted vault data was not accessed or decrypted during the breach.
However, on Nov. 30, 2022, LastPass acknowledged that customer data was compromised as a result of the August breach. Dec. 22, 2022, saw a significant revelation, with LastPass confirming that encrypted passwords, usernames, form-filled data, and unencrypted data such as website URLs, company names, billing addresses, email addresses, phone numbers, and IP addresses were compromised.
LastPass' development and production infrastructure are physically separated, and the threat actor is believed to have gained access through a compromised developer account. The master password, which is never known to LastPass and is not stored or maintained by LastPass, remains secure.
LastPass deployed containment and mitigation measures and hired a cybersecurity and forensics firm to assist with further investigation. After a forensic review with Mandiant, LastPass found no further evidence of activity from a threat actor or customer data access.
Despite these efforts, LastPass' CEO, Karim Toubba, declared the breach contained weeks after its detection in August 2022. However, it was not contained by late November. LastPass' services are running normally and continue to operate in a state of heightened alert.
LastPass, with over 100,000 business customers and over 33 million registered users, identified less than 3% of its business customers at risk based on specific account configurations and advised them to take certain steps. If LastPass' default master password settings are followed, it would take "millions of years" to guess a master password using generally-available technology for password hacking.
The threat actor is suspected to have attempted to use brute force to guess master passwords or target customers with phishing attacks or credential stuffing. This remains an ongoing investigation. LastPass contained the incident between mid-August and mid-September 2022.
Despite the breach, LastPass continues to emphasise the security of its services, stating that the backup of customer vault data remains secured with 256-bit AES encryption, and can be decrypted with a unique encryption key derived from each user's master password.
){kind=link}