LastPass says hackers stole customers’ password vaults

Password management giant LastPass confirmed that its customers’ encrypted password vaults, which store its customers’ passwords and other secrets, were stolen by cybercriminals in a data breach earlier this year.

In an updated blog post about its disclosure, LastPass CEO Karim Touba said hackers took a copy of a customer’s vault data backup using cloud storage keys stolen from a LastPass employee. The cache for client password vaults is stored in a “proprietary binary format” containing unencrypted and encrypted vault data, but the technical and security details of this proprietary format have not been specified. Unencrypted data includes web addresses stored in a vault, but LastPass doesn’t say more or in what context. It is not clear how recent the stolen backups are.

LastPass said that customer password vaults are encrypted and can only be opened using the customers master password, which only the customer knows. But the company warned that the cybercriminals behind the intrusion “may attempt to use brute force to guess your master password and decrypt copies of the vault data they have taken.”

Tuba said the cybercriminals also took massive amounts of customer data, including names, email addresses, phone numbers, and some billing information.

Password managers are a good thing to use to store your passwords, which must all be long, complex, and unique to each site or service. But security incidents like this one are a reminder that not all password managers are created equal and can be attacked or hacked in different ways. Since everyone’s threat model is different, no one person will have the same requirements as another.

In rare (not misspelled) nonsense like this — which we explained in our analysis of LastPass’ data breach notification — if a bad actor has access to customers’ encrypted password vaults, “all they need is the victim’s master password.” An exposed or hacked password vault is only as strong as the encryption – and password – used to forge it.

The best thing you can do as a LastPass customer is to change your current master password on LastPass to a new, unique password (or passphrase) that is written down and kept in a safe place. This means that your current LastPass vault is locked.

If you think your LastPass password vault could be hacked – such as if your master password is weak or you’ve used it somewhere else – you should start changing the passwords stored in your LastPass vault. Start with the most important accounts, like your email accounts, your cell phone plan account, your bank accounts, and your social media accounts, and work your way down the list of priorities.

The good news is that any account protected with two-factor authentication will make it harder for an attacker to access your accounts without that second factor, such as a phone pop-up, text code, or email. That’s why it’s important to secure second factor accounts first, such as email accounts and cell phone plan accounts.