The news from LastPass keeps getting worse, with parent company GoTo admitting an encryption key was stolen in its latest breach.
LastPass suffered a data breach in August and has been slowly releasing more details regarding the severity of the breach. What began as theft of source code graduated to theft of user password vaults. Even then, the company reassured users that their passwords were secure, since the vaults were still protected by encryption.
Unfortunately, the company has revised its information — yet again — and acknowledged that an encryption key for at least some downloaded data was also stolen. The breach also impacts other GoTo products.
“We also have evidence that a threat actor exfiltrated an encryption key for a portion of the encrypted backups,” writes GoTo CEO Paddy Srinivasan. “The affected information, which varies by product, may include account usernames, salted and hashed passwords, a portion of Multi-Factor Authentication (MFA) settings, as well as some product settings and licensing information. In addition, while Rescue and GoToMyPC encrypted databases were not exfiltrated, MFA settings of a small subset of their customers were impacted.”
Needless to say, LastPass users should immediately change all of their passwords and closely monitor their accounts and services for unauthorized access.
It is extremely disturbing that the LastPass breach continues to get worse. Despite the situation, the company has still not disclosed important information regarding the incident, such as exactly how many customers have been impacted.
Given how LastPass has handled this breach, it is increasingly hard to justify using the service or trusting that it can protect its customers.