The safes also contain non-encrypted data. However, these are in a proprietary format. LastPass emphasizes that all passwords are secured by 256-bit AES encryption.
LastPass has published further details about the security incident that became known at the beginning of December. The investigation revealed that the attackers also had access to backups of LastPass’ production environment. In the process, they got their hands on encrypted password vaults belonging to customers.
In general, LastPass says it runs all of its product services on its own servers. However, cloud servers would be used to store backups – or to comply with regional regulations on the retention of customer data in certain countries.
The backups compromised in the December security incident also included user names, billing addresses, email addresses, phone numbers and customer IP addresses used to access LastPass services. LastPass also acknowledged that customers’ password vaults also stored unencrypted information, but in a proprietary file format.
Not encrypted, for example, are the URLs of websites to which passwords have been stored in the vault, LastPass CEO Karim Toubba said. However, usernames, passwords, notes and any form data are protected with 256-bit AES encryption, he said. They could only be decrypted “with a unique encryption key derived from the user’s master password,” Toubba added. “As a reminder, the master password is never known to LastPass and is not stored by LastPass.”
In December, LastPass had only disclosed that data stored on a cloud storage service shared with GoTo had been compromised. The cybercriminals gained access to the storage using information captured in a security incident in August. The previous intrusion involved a LastPass development environment.