The developers of the LastPass password manager, which is used by more than 33 million people and more than 100 companies, notified users about an incident in which attackers managed to gain access to backup copies of the storage with the data of users of the service. The data included information such as username, address, email, phone and IP addresses from which the service was accessed, as well as unencrypted site names stored in the password manager and encrypted logins, passwords, form data and notes stored in these sites. .
To protect logins and passwords for sites, AES encryption was used with a 256-bit key generated using the PBKDF2 function based on a master password known only to the user, with a minimum size of 12 characters. Encryption and decryption of logins and passwords in LastPass is performed only on the user side, and master password guessing is considered unrealistic on modern hardware, given the size of the master password and the applied number of PBKDF2 iterations.
To carry out the attack, they used data obtained by the attackers during the last attack that occurred in August and was carried out through the compromise of the account of one of the developers of the service. The August hack resulted in attackers gaining access to the development environment, application code, and technical information. Later it turned out that the attackers used data from the development environment to attack another developer, as a result of which they managed to obtain access keys to the cloud storage and keys to decrypt data from the containers stored there. The compromised cloud servers hosted full backups of the worker service data.
Source: opennet.ru