What you need to know
- LastPass says its customers’ password vaults have fallen into the hands of cybercriminals.
- The hackers used information they obtained from a previous incident that LastPass disclosed last August.
- Master passwords remain secure and LastPass says it will take millions of years for hackers to guess them.
The security breach disclosed by LastPass in August is worse than previously thought. LastPass has confirmed that cybercriminals used information obtained from the previous incident to obtain encrypted password vaults and other customer data.
According to the latest update (opens in a new tab) from the password manager, hackers were able to “copy a backup copy of customer vault data from the encrypted storage container,” which contained both unencrypted data such as URLs and encrypted data fields such as website usernames and passwords, secure notes, and form-filled data.
LastPass said in August that while hackers gained access to parts of its development environment, no customer data was compromised. A few months later, the company revealed that “certain elements” of customer data were indeed affected by the security incident.
Threat actors gained access to the source code and other technical data and used this information to compromise the account of a LastPass developer. The hackers eventually stole backups of user password vaults as a result of the incident.
Fortunately, cybercriminals will not be able to unlock the encrypted password vaults without the master passwords, which only account owners know. The company emphasizes that master passwords are protected by its Zero Knowledge architecture, meaning not even LastPass knows.
However, LastPass has warned customers that the hackers “may attempt to use brute force to guess your master password and decrypt the copies of vault data they took.” This is likely given that the password vaults are now in the hands of the threat actors.
In addition to the password vaults, hackers gained access to a treasure trove of data, including names, email addresses, phone numbers and some billing information. Affected LastPass account holders are also potentially vulnerable to “phishing attacks, credential stuffing or other brute force attacks against online accounts” linked to their LastPass vaults.
This security breach serves as a reminder that even the best password managers are vulnerable to attack. It’s always a good idea to never use the same password for all of your online accounts. In this case, LastPass recommends not using your master password on other sites. Better yet, it’s recommended that you replace your current LastPass master password with a unique combination and protect your account with two-factor authentication.
