developers of the password manager Lastpass , which is used by more than 33 million people and more than 100 thousand companies, HEADS users about the incident, as a result of which the attackers managed to access backup copies of the repository with service users. The data included information such as the name, address, email, telephone and IP addresses from which there was an entrance to the service, as well as passwords saved in the site of the sites and saved encrypted passwords to them.
To protect passwords to sites, encryption of AES with a 256-bit key generated using the function pbkdf2 based on the well-known only The user of the master parole, the size of at least 12 characters. Conservation and deciphering passwords in Lastpass is carried out only on the user’s side, and the selection of master parole is considered as unrealistic on modern equipment, taking into account the size of the workshop and the applied number of pbkdf2 iterations.
To make an attack, the data received by attacking during the last attack that occurred in August and committed through compromising records of one of the developers of the service. The August hack led to the hands of attackers access to the environment for development, the code of the application and technical information. Later it turned out that the attackers took advantage of the data from the environment to develop to attack another developer, as a result of which it was possible to get the access keys to the cloud storage and keys to decipher the data from containers stored there. The compromised cloud servers placed complete backup copies of the work service.