The August 2022 security breach of LastPass may have been more severe than previously disclosed by the company.
The popular password management service on Thursday revealed that malicious actors obtained a trove of personal information belonging to its customers that include their encrypted password vaults by using data siphoned from the earlier break-in.
Among the data stolen are “basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service,” the company said.
The August 2022 incident, which remains a subject of an ongoing investigation, involved the miscreants accessing source code and proprietary technical information from its development environment via a single compromised employee account.
LastPass said this permitted the unidentified attacker to obtain credentials and keys that were subsequently leveraged to extract information from a backup stored in a cloud-based storage service, which it emphasized is physically separate from its production environment.
images from Hacker News