LastPass yesterday published an update that better outlines the consequences of a security incident that occurred in August, which at this point takes on much more serious contours than originally outlined.

At the time, in fact, LastPass claimed that the attackers had managed, by accessing a compromised developer account, to steal parts of the source code and unspecified “technical information proprietary to LastPass”. At the time, the company determined that customer master passwords, encrypted passwords, personal information, and other data stored in customer accounts were unaffected by the attack.

The update released in the past few hours puts the story in another perspective. LastPass has notified users that the August unauthorized access allowed hackers to come in contact with personal information and related metadata, including company names, end user names, billing addresses, email addresses, phone numbers telephone and IP addresses used by customers to access LastPass services. Not only that: the hackers were also able to recover a backup of user data, consisting of unencrypted data such as website URLs and encrypted data fields such as website usernames and passwords, secure notes, and data filled out from forms.

Karim Toubba, CEO of LastPass, explained: “These encrypted fields remain protected with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our architecture.” Zero Knowledge. Please note that the master password is never known to LastPass and is not saved or maintained by LastPass. Encryption and decryption of information performed only on the local LastPass client”. For those wishing to learn more about the Zero Knowledge technology and how it works, please refer to the LastPass website.

Among the clarifications that LastPass has provided with the update, it should be noted that the investigations have so far not given reason to believe that unencrypted data from users’ credit cards has been accessed. However, LastPass does not store credit card information in its entirety, and any data that is saved is held in a different cloud environment than the one accessed unauthorized.

What happened in August, in fact, would seem to be linked to another security incident against Twilio, an authentication service provider based in San Francisco. In that occasion, data belonging to 163 of the company’s customers was stolen, and the same hand behind the Twilio compromise has since hit other companies including LastPass.



Source link

Leave a Reply

Your email address will not be published. Required fields are marked *