LastPass, has confirmed that hackers stole customers’ encrypted password vaults in a data breach earlier this year. In an updated blog post, LastPass CEO Karim Toubba stated that the intruders took a copy of a backup of customer vault data using cloud storage keys stolen from a LastPass employee.
LastPass confirms hackers stole encrypted password vaults
The cache of customer password vaults is stored in a proprietary binary format that contains both unencrypted and encrypted data, but the technical and security details of this format were not specified. The unencrypted data includes web addresses stored in the vault. It is not clear when the stolen backups were taken.
LastPass has reassured customers that their password vaults are encrypted and can only be unlocked with the customers’ master password, which is known only to the customer. However, the company has warned that the hackers may try to use brute force to guess the master password and decrypt the copies of the vault data they took.
In addition to the password vaults, the hackers also accessed a large amount of customer data, including names, email addresses, phone numbers, and some billing information.
This data breach highlights the importance of using a password manager to store and protect passwords, as it is generally easier and more secure to use a single, strong password for a password manager rather than trying to remember and protect multiple complex passwords for each online account.
However, it is also a reminder that no password manager is completely invulnerable to attacks and it is important to choose a reputable and secure service. As a precaution, LastPass customers should take steps to secure their accounts. The most important action is to change the master password to a unique and strong one, and to write it down and keep it in a safe place.
Enabling two-factor authentication can also provide an extra layer of protection, as it makes it more difficult for an attacker to access accounts without the second factor, such as a phone pop-up or a texted or emailed code.
If there is a concern that the password vault may be compromised, such as if the master password is weak or has been used elsewhere, it is also advisable to change the passwords stored in the LastPass vault, starting with the most critical accounts such as email, bank, and social media accounts.