Password manager Lastpass warned customers that as a result of cyber attacks on his Systems in August attackers copied encrypted files containing passwords
“some source code and technical information were stolen from our development environment and used to attack one of the employees, obtaining accounting data and keys that were used to access and decipher some volumes of storage in the cloud storage service,” the service said.
Hackers gained access to the following information:
- The main information on the client’s account;
- the names of the companies;
- names of end users;
- payment addresses;
- email addresses mail;
- phone numbers;
- ip addresses of users.
According to the company, the attacker also copied the data of “customer storage” – a file that Lastpass uses so that customers can record their passwords. This storage contains:
- URL addresses of saved sites;
- fully encrypted logins and site passwords;
- Protected notes;
- Automation data.
This means that attackers have user passwords. But they are encrypted using “256-bit AES-shift and can be deciphered only with the help of a unique encryption key obtained from the master paralle of each user.”
Despite the fact that attackers have users passwords, they will not be able to choose a master parole with a brutofors, since the time required for this is even impossible to count. Among other recommendations, Lastpass advised not to use the master parole on other sites or services.