Extract from Tasneem Bandukwala’s article “What Happens When a Password Vault Is Breached?”
This data breach incident began in August 2022, when a criminal gained access to the company’s development environment and stole source code and technical information that allowed it to target an employee. The hacker eventually gained access to credentials and keys, which allowed them to gain access to LastPass’s third-party cloud storage service in November 2022, gaining access to customer information. These incidents are not the first time LastPass has had a cybersecurity issue.
Initially, LastPass (and its parent company GoTo) stated they would e investigating the incident, but didn’t know what data had been accessed or if the data had been exfiltrated. In an updated blog post published just before Christmas, LastPass notified users that the hacker had copied a backup of customer vault data that includes encrypted usernames, passwords, and form-filled data (which is often highly valuable PII). The statement further explained, “There is no evidence that any unencrypted credit card data was accessed,” which, of course, is very different than saying “No unencrypted credit card data was accessed.”
While individual users “unlock” their passwords with a master password (LastPass’s term, not ours) that is not stored on their servers, it is possible for criminals to use brute force to guess passwords and decrypt vault data. Given the frequency of re-used and compromised passwords on the dark web, that may not be necessary.