Password management service LastPass was hacked in August 2022, and the attacker stole users’ encrypted passwords, according to a Dec. 23 statement from the company. This means that the attacker may be able to crack some website passwords of LastPass users through brute force guessing. LastPass first disclosed the breach in August 2022 but at that time, it appeared that the attacker had only obtained source code and technical information, not any customer data. However, the company has investigated and discovered that the attacker used this technical information to attack another employee’s device, which was then used to obtain keys to customer data stored in a cloud storage system. As a result, unencrypted customer metadata has been revealed to the attacker, including “company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.” In addition, some customers’ encrypted vaults were stolen. These vaults contain the website passwords that each user stores with the LastPass service. Luckily, the vaults are encrypted with a Master Password, which should prevent the attacker from being able to read them.
Read more : LastPass attacker stole password vault data, showing Web2’s limitations.