Attackers Obtained Passwords of 30 Million Users and 85,000 Companies in LastPass Security Breach

---

Over the past few months, LastPass has been at the hub of several issues involving user data leaks. In December last year, LastPass released a report which reveals that it was attacked in November. At the time, the company did not reveal many details of the attack. However, fresh investigations now reveal that the attack dates a few months back. In addition, the attacker obtained the passwords of 30 million users and 85,000 companies from LastPass. LastPass is a freemium cross-platform online password management tool. It aims to solve the problem of frequently entering passwords by centralizing users’ passwords in the cloud. This system supports most browsers and platforms across the web.

Most valued data breach?

For this reason, if you have any of your details linked to LastPass, you have genuine reasons to be worried.

FTM states in the report: “This may be one of the most valuable stolen databases ever. The database involves millions of users, and each user typically stores dozens of passwords”.

LastPass conducted four reports in the last year, and the problems disclosed in the reports have become more serious. Chief Executive, Karim Toubba said last August that a hacker gained access to the company’s development space through an employee’s account. Toubba said the hacker’s activity was “limited” and that LastPass customers don’t have to worry or take any action.

Another report from LastPass again in mid-September claims that an internal investigation reveals that hackers had access to its systems for four days but did nothing serious. LastPass reported another cyberattack in late November, with hackers accessing “certain elements of customer information.” But LastPass insists there’s no reason to worry.

LastPass announced on December 22, three days before Christmas last year, that hackers had stolen users’ names, addresses, emails, phone numbers and more. However, the company still insists there are no major issues to worry about. As long as customers have a good master password, their passwords are safe, the company said. LastPass said it would take millions of years to crack a 12-character password using “universally available techniques.”

LastPass suffers multiple data breaches

Back in December, The Verge reported that password management tool, LastPass had another data breach. Hackers accessed LastPass’ third-party cloud storage servers and obtained critical information about some of its customers, CEO Karim Toubba said in a blog post.

In his blog post, Tuba did not specify what info the hackers had stolen or how many users were affected. “Thanks to LastPass’ Zero Knowledge architecture, our customers’ passwords remain securely encrypted,” Tuba said in a blog post. The so-called zero-knowledge architecture means that only the user knows the master password. Also, encryption only occurs at the device level instead of the server side, and LassPass will not know it.

LastPass had a source code leak in August this year and admitted that hackers had entered LastPass’ internal systems. The attack received in November should be related to the August incident. Tuba said the hackers “used info obtained during the August 2022 incident” to gain access to user data.

LastPass admits source code was stolen by hackers

In August, LastPass publicly admitted a security incident. It reveals that a developer’s account was compromised and criminals obtained part of the source code and some proprietary technical info. However, the company claims that there is no leak of any user data and its service products are safe. The company also reveals that its products and services are working normally and users do not need to do anything.

LastPass said they discovered the security breach was exploited in November last year. However, its work reveals that all user data are safe because the company did not store any master password in its server in the first place. Thus, these passwords were never at risk.

“We have determined that an unauthorized party gained partial access to the LastPass development environment through a compromised developer account and obtained portions of the source code and some proprietary LastPass technical information. Our products and services run normally. This happened in our development environment. Our findings indicate that no unauthorized persons have accessed encrypted vault data. Our model ensures that only the customer himself has the right to decrypt vault data. Currently, we do not recommend any action by our users or administrators”.

Passwords in LastPass are protected by a master password, encrypted locally, and synced to any browser. LastPass also supports features such as automatic form-filling, random password generation, and password sharing.

LastPass Hacked, CEO Assures No User Data Leaked

Back in August, LastPass admitted that its systems were hacked and some sensitive infor was obtained over a period of about four days. LastPass’ CEO claims that the company will closely work with security experts from Mandiant to find out that no user data was leaked. It claims that the data of its users are of more importance.

The CEO assured that while LastPass was hacked, no user data was leaked. From the info so far, the attackers did get some LastPass password manager source code and technical info. However, it is limited to the dev. system of the service and has nothing to do with user data. Not to mention that LastPass itself did not have access to users’ master passwords. In fact, the company claims that the master passwords are not in its server in the first place. Thus, the hackers couldn’t have stolen them.

After using a multi factor authentication, the attackers used a developer’s endpoint and  impersonated the developer. This is how they got access to steal a couple of info.