The latest cyberattack on the popular Internet password manager, LastPass, was even more serious than the company itself disclosed at the time. In their latest report they released new and potentially dangerous details for their user base.
Paddy Srinivasan, CEO of LastPass parent company GoTo, revealed in an official blog post that the attackers who targeted the cloud storage serviceshared by both companies, it was able to extract encrypted backups related to a number of products from Central, Pro, join.me, Hamachi and RemotelyAnywhere.
In addition to the encrypted backups, the attackers also extracted an encryption key for “a portion” of the encrypted backups, Srinivasan added.
The data now at risk includes account usernames, salted and hashed passwords – it consists of adding some random information before running the hashing algorithm – a part of the multi-factor authentication (MFA) setup and some configuration and information product licensing.
On the other hand, company representatives have assured that the credit cards or bank details they were not hit.
They also said that birthdates, home addresses, and Social Security numbers were protected, as GoTo doesn’t store any of these.
Additionally, the MFA settings of a “small subset” of Rescue and GoToMyPC users were affected. However, they claimed no encrypted database had been taken.
While all account passwords were bypassed and encrypted “in accordance with best practices,” GoTo still reset affected users’ passwords and asked them to re-authorize their MFA settings where possible.
Meanwhile, the CEO also said that heThe company is migrating the affected accounts to an advanced identity management platform to provide additional security and stronger authentication and login-based security options.
Users have also been contacted directly, Srinivasan confirmed.
The consequences of the cyber attack
The series of cyber attacks against the password manager was first revealed in November 2022.
An initial investigation determined that the hackers managed to break into a group of user archive vaults, essentially databases containing all of their passwords. Since this information is encrypted, it has not been easy for cybercriminals to gain access to its contents.
“These encrypted fields remain protected with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture,” said Karim Toubba, CEO of LastPass.
“As a reminder, LastPass never knows your master password, never stores or maintains it,” they admitted.
Source: Clarin
Linda Price is a tech expert at News Rebeat. With a deep understanding of the latest developments in the world of technology and a passion for innovation, Linda provides insightful and informative coverage of the cutting-edge advancements shaping our world.