Risk & Repeat: Breaking down the LastPass breach

Password management company LastPass recently disclosed a breach in which a threat actor stole customer data, including encrypted website login info, unencrypted website URLs and personal information.

The breach was disclosed via a December update to a blog post disclosing a separate but related breach that occurred in August. LastPass CEO Karim Toubba wrote that a threat actor used stolen technical data from the August breach to target a LastPass employee and steal encryption keys. The keys included dual storage container decryption keys and a cloud storage access key, which were used to steal customer information from backups.

The customer data included company and end-user names, billing and email addresses, telephone numbers and IP addresses used by customers to access their LastPass accounts. Stolen data also included encrypted website usernames and passwords, plus unencrypted website URLs.

The breach has been met with a wave of criticism from competitors and professionals in the security space. Competitor 1Password published a blog post disagreeing with LastPass' claim that it would take "millions of years" to crack a master password. John Scott-Railton, senior researcher with Citizen Lab at University of Toronto, meanwhile, tweeted that the unencrypted website URLs could contain user account tokens and credential data.

In this episode of the Risk & Repeat podcast, TechTarget editors Rob Wright and Alex Culafi discuss the fallout of the latest LastPass breach.

Subscribe to Risk & Repeat on Apple Podcasts.

Alexander Culafi is a writer, journalist and podcaster based in Boston.