LastPass Data Breach Woes Continue: Hacker Accesses Critical Corporate Vault
On March 1, LastPass announced that a hacker has gained access to a critical corporate vault available to only four top employees. This breach comes on the heels of a previously announced hack in August 2022, which appears to have opened the door for this more serious breach.
Vault Accessed by Hacker
The vault accessed by the hacker contained a cloud-storage environment that included encryption keys for 30 million customer vault backups stored on Amazon web servers. Additionally, the hacker obtained “decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups.”
Hacker Now Has Encrypted Copies of All LastPass Customer Password Vaults
The hacker or hacker group now has encrypted copies of every LastPass customer’s password vault, along with the most sensitive internal company secrets and digital access credentials.
LastPass has suffered from previous hacks. In December 2022, the company revealed that hackers had obtained extensive information from user accounts such as billing and email addresses, end-user names, telephone numbers, and IP address info. Customer vault data was also leaked. LastPass parent company GoTo revealed that the initial hack of Lastpass had also affected several of its other products, including online meetings service Join.me; remote access business tool Remotely Anywhere, hosted VPN service Hamachi, and remote access tool business communications tool Central.
Risks for LastPass Users
All 30 million LastPass users, with data stored on the company servers as of August 2022, are at risk. Hackers now have a copy of users' entire password vaults. If they manage to crack the master password, hackers could take over users' online lives, including full access to emails, bank accounts, healthcare data, tax information, social media accounts, and more.
Risks for Other GoTo Product Users
Users of other hacked GoTo products, including Join.me, Central, Remotely Anywhere, and Hamachi, are also at risk. All of the encrypted backups and encryption keys are now in the hands of hackers, who can use all of the private information to disrupt other parts of users' digital lives.
Experts Question LastPass' Claims
Noted cybersecurity experts have queries about LastPass’ recent updates. Some consider the hack a far more grave threat than reported, both to individual users as well as companies that employ LastPass for corporate password management. Competing password service 1Password casts doubt on LastPass’ claim that it would take “millions of years” to crack master passwords.
Technomancer is a science and tech enthusiast who enjoys writing about software and AI and other tech topics.