The operator of the well-known password manager LastPass has already been hacked twice this year, once in August and subsequently early December. Yesterday, the CEO of LastPass Karim Toubba he wrotethat the attackers obtained sensitive user data such as company names, names, addresses, emails, telephones, and last-login IP addresses.
They also managed to get backups of encrypted passwords (vault data). These contain unencrypted site URLs and then 256-bit AES encrypted passwords. Due to the Zero Knowledge policy, the LastPass password is not stored anywhere and passwords are only decrypted in the user’s client. However, attackers can try to brute-force passwords. LastPass is used by approximately 33 million people and 100,000 businesses worldwide.
(source: bloody computer, arstechnica)
