The August 2022 security breach of LastPass may have been more severe than previously disclosed by the company.
The popular password management service on Thursday revealed that malicious actors obtained a trove of personal information belonging to its customers that include their encrypted password vaults by using data siphoned from the earlier break-in.
Also stolen is “basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service,” the company said.
The August 2022 incident, which remains a subject of an ongoing investigation, involved the miscreants accessing source code and proprietary technical information from its development environment via a single compromised employee account.
LastPass said this permitted the unidentified attacker to obtain credentials and keys that were subsequently leveraged to extract information from a backup stored in a cloud-based storage service, which it emphasized is physically separate from its production environment.
On top of that, the adversary is said to have copied customer vault data from the encrypted storage service. It’s stored in a “proprietary binary format” that contains both unencrypted data, such as website URLs, and fully-encrypted fields like website usernames and passwords, secure notes, and form-filled data.