LastPass says hackers have a copy of customer data, warns of phishing attacks

LastPass password manager that enables its customers to reduce the reuse of passwords online, by storing them in a single app, has said that hackers have a copy of consumer data, including names, email addresses, billing addresses and telephone numbers. The company CEO also says the data is encrypted and the threat actor may attempt to decrypt the copies of the data and may carry out phishing attacks.
LastPass CEO Karim Toubba says that they found in an investigation that an unknown threat actor accessed a cloud-based storage environment in August of 2022. At that time, the company said that no customer data was accessed, however, hackers stole some source code and technical information which was used to target another employee.
Hackers then obtained some credentials and keys which were “used to access and decrypt some storage volumes within the cloud-based storage service.”

What data has been copied?
With the help of the cloud storage access key and dual storage container decryption keys, “the threat actor copied information from a backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service,” the CEO said in a blog post.
“The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data,” Toubba said.
As per LastPass, the encrypted data is secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password.

Phishing attack threat
LastPass has also warned that to get access to the encrypted copies of vault data, hackers may attempt to use “brute force” to guess the master password. “The threat actor may also target customers with phishing attacks, credential stuffing, or other brute force attacks against online accounts associated with your LastPass vault,” Toubba says.
LastPass also mentions that they have found no evidence that any unencrypted credit card data was accessed.