What you need to know
- LastPass says that customers' password vaults have ended up in the hands of cybercriminals.
- The hackers used information they obtained from a previous incident that LastPass disclosed last August.
- Master passwords remain secure and LastPass says it will take millions of years for hackers to guess them.
The security breach revealed by LastPass in August is worse than previously thought. LastPass has confirmed that cybercriminals used information obtained from the previous incident to obtain encrypted password vaults and other customer data.
According to the latest update (opens in new tab) from the password manager, hackers were able to "copy a backup of customer vault data from the encrypted storage container," which contained both unencrypted data like URLs and encrypted data fields like website usernames and passwords, secure notes, and form-filled data.
LastPass said in August that while hackers gained access to parts of its development environment, no customer data was compromised. A few months later, the company revealed that "certain elements" of customer data were actually affected by the security incident.
Threat actors gained access to its source code and other technical data and used this information to compromise the account of a LastPass developer. The hackers eventually stole backup copies of user password vaults as a result of the incident.
Fortunately, cybercriminals will be unable to unlock the encrypted password vaults without the master passwords, which only account owners know. The company emphasizes that master passwords are protected by its Zero Knowledge architecture, which means that not even LastPass knows it.
However, LastPass has warned customers that the hackers “may attempt to use brute force to guess your master password and decrypt the copies of vault data they took." This is likely given that the password vaults are now in the hands of the threat actors.
In addition to the password vaults, hackers gained access to a treasure trove of data, including names, email addresses, phone numbers and some billing information. Affected LastPass account owners are also potentially vulnerable to "phishing attacks, credential stuffing, or other brute force attacks against online accounts" that are linked to their LastPass vault.
This security breach serves as a reminder that even the best password managers are vulnerable to attack. It's always a good idea to never use the same password for all of your online accounts. In this case, LastPass recommends not using your master password on other websites. Better yet, it is advised that you replace your current LastPass master password with a unique combination and protect your account with two-factor authentication.
