LastPass Admits Encrypted Password Vaults Were Stolen in Breach

LastPass on Wednesday confirmed that encrypted vaults containing customers’ website usernames and passwords, secure notes, and form-filled data were stolen in a recent security breach.

Earlier this month, the popular password manager notified its users that a threat actor used information obtained from an earlier hack in August to break into its cloud-based storage and steal customer data, which included company names, end-user names, billing addresses, email addresses, telephone numbers, and IP addresses.

However, LastPass’s investigation has revealed that passwords, albeit encrypted, were also part of the plunder.

LastPass said in a Thursday blog post:

The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data. 

These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass.

Any passwords, secure notes, or form-filled data users had stored with the service remain encrypted and, therefore, safe — provided their master passwords are secure and were created in accordance with LastPass’s recommended best practices.

“The threat actor may attempt to use brute force to guess your master password and decrypt the copies of vault data they took,” the company warned. Meeting LastPass’s twelve-character minimum for master passwords alone “greatly minimizes the ability for successful brute force password guessing.”

However, if you’ve reused your master password on any other websites, you’re at much greater risk. If you’re unsure of how secure your master password is, LastPass recommends you consider changing the passwords of websites you have stored on the service as an extra security measure.

“The threat actor may also target customers with phishing attacks, credential stuffing, or other brute force attacks against online accounts associated with your LastPass vault,” the company added, warning customers to beware of social engineering attacks and the like, which have become more likely given how much personal user information was stolen by the perpetrators.

LastPass assured its customers that their payment information wasn’t compromised. “There is no evidence that any unencrypted credit card data was accessed,” the company said. “LastPass does not store complete credit card numbers and credit card information is not archived.”

Following the August incident, LastPass said it has eliminated any potential for access to its development environment by decommissioning the affected environment in its entirety and rebuilding a new environment from scratch to prevent any further breaches.