LastPass confirms customer password vaults were stolen

(Image credit: LastPass)

The data breach incident that hit password manager LastPass earlier this year saw the thieves crooks steal encrypted password vaults belonging customers, the company has confirmed.

The password vault is where people keep their passwords, so should the attackers find a way to decrypt the vaults, they’d be able to read all of the passwords saved in there.

In an update published on the LastPass blog, CEO Karim Toubba said that the threat actors used cloud storage keys stolen from a LastPass employee to access and exfiltrate customer vault data. The data stolen is a combination of encrypted intelligence - password vaults, and unencrypted information - vault-stored web addresses, names, email addresses, phone numbers, and in some cases - billing information.

Master password secure

The good news is that the password vaults are stored in a “proprietary binary format”, meaning that it’s close to impossible to actually read the contents. For that, the attackers would need the customer’s master password, which no one but the user (hopefully) knows. LastPass claims not to know this info. 

“These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture,” Toubba said. “As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass.”

Still, the company warned cybercriminals “may attempt to use brute force to guess your master password and decrypt the copies of vault data they took,” which could be a problem if the users created weak and easy-to-guess master passwords. 

For those worried their master password might be cracked, the best thing to do right now would be to change it to something more resilient. If you have reason to believe the contents of your vault might be compromised, then changing the passwords is the only way to stay safe (aside from setting up multi-factor authentication whenever possible). 

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.