LastPass, one of the leading password management companies, has announced that hackers obtained a large amount of personal data belonging to its customers, encrypted - hashed passwords and other data stored in its databases.
The revelation, which published on Thursday, comes as an update on a LastPass breach that was disclosed in August. At the time, the company said that someone gained unauthorized access through a single compromised developer account to parts of the password manager's development environment and "obtained parts of the source code and some proprietary technical information of LastPass."
The company said at the time that customers' master passwords, encrypted passwords, personal information and other data stored in customer accounts were not affected.
In Thursday's update, the company said the hackers accessed personal information and related metadata, including company names, end-user names, billing addresses, email addresses, phone numbers and IP addresses that customers used to access LastPass services. The hackers also downloaded a backup of customer data that included unencrypted data such as website URLs and encrypted data fields such as website usernames and passwords, secure notes and form-filled data.
"These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user's master password using Zero Knowledge architecture," said LastPass CEO Karim Toubba, referring to Advanced Encryption Scheme that is considered strong.
The update said that in the company's investigation so far, there is no indication that the hackers gained access to unencrypted credit card data. LastPass claims it does not store credit card data in its entirety, and the credit card data it does store is kept in a different cloud storage environment than the one accessed by the hackers.
