LastPass, one of the leading password management companies, has announced that hackers obtained a large amount of personal data belonging to its customers, encrypted - hashed passwords and other data stored in its databases.
The revelation, which published on Thursday, comes as an update on a LastPass breach that was disclosed in August. At the time, the company said that someone gained unauthorized access through a single compromised developer account to parts of the password manager's development environment and "obtained parts of the source code and some proprietary technical information of LastPass."
The company said at the time that customers' master passwords, encrypted passwords, personal information and other data stored in customer accounts were not affected.
At information on Thursday, the company said that the hacker είχαν πρόσβαση σε προσωπικές πληροφορίες και σχετικά μεταδεδομένα, συμπεριλαμβανομένων ονομάτων εταιρειών, ονομάτων τελικών χρηστών, διευθύνσεων χρέωσης, διευθύνσεων email, αριθμών τηλεφώνου και διευθύνσεων IP που χρησιμοποιούσαν οι πελάτες για πρόσβαση στις υπηρεσίες της LastPass. Οι hacker κατέβασαν επίσης ένα αντίγραφο security of customer data that included unencrypted data such as website URLs and encrypted data fields such as website usernames and passwords, secure notes and form-filled data.
“These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from the master code access by each user using the Zero Knowledge architecture,” said LastPass CEO Karim Toubba, referring to the Advanced Encryption Scheme which is considered strong.
The update said that in the company's investigation so far, there is no indication that the hackers gained access to unencrypted credit card data. LastPass claims that it does not store credit card data in its entirety and its data creditof the card it stores are kept in a cloud storage environment different from the one the hackers had access to.