>
Another update on LastPass’s recent data breach has revealed even more potentially bad news for users of the password manager (opens in new tab).
Paddy Srinivasan, CEO of LastPass parent company GoTo revealed in a blog post (opens in new tab) that the attackers targeting the third-party cloud storage service shared by both companies managed to exfiltrate encrypted backups related to a number of products.
These products include Central, Pro, join.me, Hamachi, and RemotelyAnywhere.
Encryption key taken
In addition to encrypted backups, the attackers also exfiltrated an encryption key for “part” of the encrypted backups, Srinivasan added.
The data now at risk includes account usernames, salted and hashed passwords, some Multi-Factor Authentication (MFA) settings, and some product settings and licensing information. Credit card or bank details were not compromised. Dates of birth, residential addresses, and social security numbers would also be safe, as GoTo does not store any of these.
In addition, the MFA settings of a “small subset” of Rescue and GoToMyPC users have been affected. However, encrypted databases would not have been confiscated.
While all account passwords are salted and hashed “in accordance with best practices,” GoTo still resets passwords (opens in new tab) of affected users, and had them reauthorize MFA settings where possible. The CEO also said the company is migrating impacted accounts to an enhanced Identity Management Platform to provide additional security and more robust authentication and login-based security options.
Affected customers are being reached directly, Srinivasan confirmed.
LastPass first reported a data breach in November 2022. An initial investigation found that the hackers managed to steal customers’ vaults, which are basically databases containing all of their passwords. However, the vaults themselves are encrypted, meaning the crooks won’t have an easy time reading their contents.
“These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture,” said Karim Toubba, CEO of LastPass. “As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass.”