The data breach incident that hit password manager (opens in new tab) LastPass earlier this year saw the thieves crooks steal encrypted password vaults belonging customers, the company has confirmed.
The password vault is where people keep their passwords, so should the attackers find a way to decrypt the vaults, they’d be able to read all of the passwords saved in there.
In an update (opens in new tab) published on the LastPass blog, CEO Karim Toubba said that the threat actors used cloud storage keys stolen from a LastPass employee to access and exfiltrate customer vault data. The data stolen is a combination of encrypted intelligence – password vaults, and unencrypted information – vault-stored web addresses, names, email addresses, phone numbers, and in some cases – billing information.
Master password secure
The good news is that the password vaults are stored in a “proprietary binary format”, meaning that it’s close to impossible to actually read the contents. For that, the attackers would need the customer’s master password, which no one but the user (hopefully) knows. LastPass claims not to know this info.
“These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture,” Toubba said. “As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass.”
Still, the company warned cybercriminals “may attempt to use brute force to guess your master password and decrypt the copies of vault data they took,” which could be a problem if the users created weak and easy-to-guess master passwords.
For those worried their master password might be cracked, the best thing to do right now would be to change it to something more resilient. If you have reason to believe the contents of your vault might be compromised, then changing the passwords is the only way to stay safe (aside from setting up multi-factor authentication whenever possible).
English
Arabic
Belarusian
Bengali
Bosnian
Bulgarian
Chinese (Simplified)
Croatian
Czech
Danish
Dutch
Estonian
Filipino
Finnish
French
Georgian
German
Greek
Gujarati
Hausa
Hebrew
Hindi
Hmong
Hungarian
Igbo
Indonesian
Italian
Japanese
Javanese
Kazakh
Korean
Kurdish (Kurmanji)
Kyrgyz
Lao
Latvian
Lithuanian
Macedonian
Malagasy
Norwegian
Persian
Polish
Portuguese
Punjabi
Romanian
Russian
Serbian
Slovak
Slovenian
Spanish
Swedish
Thai
Turkish
Ukrainian
Vietnamese
Yoruba