LastPass, a popular password management service, said hackers stole encrypted copies of customer passwords and other sensitive data such as billing addresses, phone numbers and IP addresses.

The announcement is the latest update from a breach that occurred in August. At that time, the company said they had seen no evidence that the hackers had access to customer data or encrypted password vaults.

But the company’s statement on Thursday said that source code and technical information that were stolen as part of that hack was used to target another employee. The hackers were then able to obtain credentials and keys to access and decrypt data stored on a third-party cloud storage space.

They were able to copy such things as basic customer account information, including e-mail addresses and the IP addresses from which customers accessed LastPass, and “fully encrypted sensitive fields such as website usernames and passwords, secure notes and form-filled data”.

Read also Nigerian Tech Startups Can Now Go Public On Specially Designated Technology Board With New SEC Approval

Password managers are a way for customers to store usernames and passwords in one place and can be accessed using a master password that a customer creates. The master password isn’t known to LastPass nor is stored or maintained by the company, it said in its statement.

The other encrypted data can only be decrypted “with a unique encryption key derived from each user’s master password”, the company said.

Nonetheless, LastPass warned customers that they could be targeted for social engineering, phishing attempts or other methods.

Brute force

“The threat actor may attempt to use brute force to guess your master password and decrypt the copies of vault data they took,” the company said in a statement. “Because of the hashing and encryption methods we use to protect our customers, it would be extremely difficult to attempt to brute-force-guess master passwords for those customers who follow our password best practices.”

For those who follow LastPass’s password guidance, “it would take millions of years to guess your master password using generally available password-cracking technology”, the company said.

The company said that it has hired cybersecurity firm Mandiant to investigate the breach. It also said that it is rebuilding its entire development environment from scratch, an indication that hackers had thoroughly compromised the company’s sensitive systems.

Read also African Credit Fintech Finclusion Raises $2M, Rebrands To Fin

LastPass said that its investigation is ongoing, and that it has notified law enforcement and “relevant regulatory authorities”.

Kelechi Deca

Kelechi Deca has over two decades of media experience, he has traveled to over 77 countries reporting on multilateral development institutions, international business, trade, travels, culture, and diplomacy. He is also a petrol head with in-depth knowledge of automobiles and the auto industry

Many are still in shock at the news that LastPass, a password manager used by more than 33 million people around the world, said a hacker recently stole source code and proprietary information after breaking into its systems.

The company however, claims that it doesn’t believe any passwords were taken as part of the breach and users shouldn’t have to take action to secure their accounts.

An investigation determined that an “unauthorised party” cracked into its developer environment, which is the software that employees use to build and maintain LastPass’s product. The perpetrators were able to gain access through a single compromised developer’s account, the company said.

It is unlikely that the stolen source code will give the criminals access to customer passwords

The attack struck a company that generates and stores hard-to-crack, auto-generated passwords for multiple accounts, like Netflix or Gmail, on behalf of its users — without the need to manually enter credentials.

Read also : Stress Leads to Cybersecurity Mistakes – Anna Collard

Cybersecurity website Bleeping Computer reported that it had asked LastPass about the breach two weeks ago.

Allan Liska, an analyst on the Computer Security Incident Response Team at cybersecurity company Recorded Future, said he was impressed with the “speedy notification” from LastPass.

“While two weeks might seem like a long time to some, it can take a while for incident response teams to fully assess and report on a situation,” he said. “It will take time to fully determine the extent of any damage that may have been as a result of the breach. However, for now it appears to not be client-impacting.”

There was speculation on social media that hackers may be able to access the keys to password vaults after stealing source code and proprietary information.

Read also : Togo Partners ECA to Establish the African Cybersecurity Center

“It is unlikely that the stolen source code will give the criminals access to customer passwords,” Liska said. 

Kelechi Deca

Kelechi Deca has over two decades of media experience, he has traveled to over 77 countries reporting on multilateral development institutions, international business, trade, travels, culture, and diplomacy. He is also a petrol head with in-depth knowledge of automobiles and the auto industry