> Among other things, the vault gave access to a shared cloud-storage environment that contained the encryption keys for customer vault backups stored in Amazon S3 buckets.
Wow. So those backups - which I hope and assume are encrypted with users’ credentials and were supposed to have one more layer of “LastPass” corp encryption - now seem to be lacking the latter. This sounds equivalent to stealing the encrypted blobs from each and every LP user.
(Hoping to be wrong here)
If one workstation getting hacked led to something like this I wonder what other mess is hiding in the crypto details…
I don't think so. Per Lastpass's description of their architecture, their server never sees your unencrypted passwords. (Though substantial metadata, such as the website URLs, are not encrypted.)
To get unencrypted vaults, they'd need to change the client-side code. But we haven't been told that this happened.
(As a best practice, it's probably best to assume everything in LastPass vault was compromised at this point.)
Wow. So those backups - which I hope and assume are encrypted with users’ credentials and were supposed to have one more layer of “LastPass” corp encryption - now seem to be lacking the latter. This sounds equivalent to stealing the encrypted blobs from each and every LP user. (Hoping to be wrong here)
If one workstation getting hacked led to something like this I wonder what other mess is hiding in the crypto details…