The hacker copied information from backup that contained basic customer account information and related metadata, including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service. The threat actor was also able to copy a backup of customer vault data from the encrypted storage container, which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully encrypted sensitive fields, such as website usernames and passwords, secure notes, and form-filled data.
”Given the sensitivity of the data stored by LastPass, it’s alarming that such a wide breadth of personal data was obtained. While cracking the password hashes would require massive amounts of resources, it’s not out of the question, particularly given how methodical and resourceful the threat actor was.
LastPass customers should ensure they have changed their master password and all passwords stored in their vault. They should also make sure they’re using settings that exceed the LastPass default.
LastPass customers should also be extra alert for phishing emails and phone calls purportedly from LastPass or other services seeking sensitive data and other scams that exploit their compromised personal data. The company also has specific advice for business customers who implemented the LastPass Federated Login Services.
Read more about this topic at: Ars Technica
