Password manager LastPass warned customers that a cyberattack on its systems in August resulted in the attackers copying encrypted files containing passwords.
“Source codes and technical information were stolen from our development environment and used to attack one of the employees to obtain credentials and keys that were used to access and decrypt some storage volumes in the cloud storage service,” the service said.
The hackers gained access to the following information:
- basic information about the client account;
- company names;
- end user names;
- billing addresses;
- email addresses;
- phone numbers;
- user IP addresses.
The attacker also copied data from the "customer repository," the file LastPass uses to allow customers to write down their passwords, the company said. This repository contains:
- URLs of saved sites;
- fully encrypted logins and passwords of sites;
- protected notes;
- autocomplete data.
This means that attackers have user passwords. But they are encrypted with "256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user's master password."
Despite the fact that attackers have user passwords, they will not be able to guess the master password using brute force, since the time required for this cannot even be calculated. Among other recommendations, LastPass advised against using a master password on other sites or services.