The data breach reported by password manager LastPass in early December was more serious than previously thought. Business in an updated post on his blog reported that the attackers downloaded encrypted data with saved passwords, but also unencrypted metadata containing a variety of sensitive data.
According to the company, the leak occurred through a cloud service where LastPass stored a backup copy of its sensitive data. The attackers used information obtained in the August 2022 attack to obtain credentials and encryption keys from one of the employees needed to decrypt some of the stored data.
Among the leaked data is user data (names, postal and email addresses, phone numbers, and IP addresses from which users logged into LastPass). The attackers also downloaded copies of “data vaults” which contain saved passwords and other data.
Some of the data LastPass stored was encrypted (including the most essential, which is usernames and passwords stored for websites), but some was not encrypted. Of these, the most sensitive are probably the addresses of websites where users have saved their passwords.
This can be a problem primarily because leaked metadata can help attackers in subsequent phishing attacks on users. “LastPass will never call, email or text you to confirm your personal information. And aside from the situation where you log into your account, you won’t even be asked for your master password,” the company warns against possible so-called social engineering techniques that attackers can use.
According to the company, it should be virtually impossible to guess or crack master passwords, but only if users have followed the rules for creating truly secure passwords. These include having a unique and long enough password (LastPass doesn’t allow passwords shorter than 12 characters since 2018) and not reusing them elsewhere.
