02 December 2022

Intruders gain access to user data in LastPass incident

Intruders broke into a third-party cloud storage service LastPass shares with affiliate company GoTo and gained access to "certain elements" of customers' information, the pair have confirmed.

LastPass did not define what it meant by "certain elements," saying it was unsure what data was looked at: "We are working diligently to understand the scope of the incident and identify what specific information has been accessed this morning."

It did maintain, however, that services were unaffected and that customers' passwords remained "safely encrypted" – without ruling out that some of the data was stolen. The company is known to use a one-way salted hash for master passwords, with a fuller description in this technical whitepaper. The master passwords are used to lock users' password vaults, where their logins for various websites etc. can be stored, with the passphrase only ever entered by the user on their browser or app and not sent to or stored by LastPass.


No comments:

Post a Comment