Another update on the recent LastPass data breach has revealed even more potentially bad news for users of the password manager. (opens in a new tab).
Paddy Srinivasan, CEO of LastPass parent company GoTo, revealed in a blog post (opens in a new tab) that attackers targeting the third-party cloud storage service shared by both companies managed to exfiltrate encrypted backups related to a number of products.
These products include Central, Pro, join.me, Hamachi, and RemotelyAnywhere.
Encryption key taken
In addition to the encrypted backups, the attackers also extracted an encryption key for “a portion” of the encrypted backups, Srinivasan added.
The data now at risk includes account usernames, salted and hashed passwords, a portion of multi-factor authentication (MFA) settings, and some product settings and license information. Credit card or bank details were not affected. Dates of birth, home addresses and Social Security numbers were also said to be safe, since GoTo does not store any of these.
Additionally, the MFA settings of a “small subset” of Rescue and GoToMyPC users have been affected. However, it was said that no encrypted databases had been taken.
While all account passwords were hacked and scrambled “in accordance with best practices,” GoTo still reset the passwords. (opens in a new tab) of affected users and asked them to reauthorize their MFA settings, where possible. The CEO also said the company is migrating affected accounts to an enhanced identity management platform to provide additional security and stronger login and authentication-based security options.
Affected customers are being contacted directly, Srinivasan confirmed.
LastPass first reported that it suffered a data breach in November 2022. An initial investigation determined that hackers managed to steal customer vaults, essentially databases containing all of their passwords. However, the vaults themselves are encrypted, which means it won’t be as easy for thieves to read their contents.
“These encrypted fields remain protected with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture,” said Karim Toubba, CEO of LastPass. “As a reminder, Master Password is never known by LastPass and is not stored or maintained by LastPass.”