Photo by Tada Images/Shutterstock.com
Lastpass has confirmed that threat actors have stolen customers’ encrypted password vaults from its cloud storage service following a data breach in August this year. The encrypted password vaults include unencrypted data such as website URLs, but more sensitive information such as username and password combinations, secure notes, and form-filled data is fully encrypted.
That said, the stolen encrypted password vault data for customers is encrypted with 256-bit AES encryption and can only be accessed using a unique decryption key from each customer’s master password for the service.
The company had previously stated that only parts of the customer data were accessed but has now confirmed the full extent of the breach. According to Lastpass CEO Karim Toubba, the cloud storage service stores archived backups of production data. It’s unclear at the moment how recent these backups are.
As for the data copied from the backup, Toubba notes that it included “basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service”.
While the attackers might try to brute force their way into customers’ password vaults, it’d be extremely difficult to do if you’ve followed Lastpass’ best password practices. So much so that the company’s advisory claims it’d take “millions of years to guess your master password using generally-available password-cracking technology”.
Since the company doesn’t know or store its customers’ master passwords, courtesy of its “zero Knowledge architecture and encryption algorithms”, customer data is safe as long as their master password is protected.
If you’re a Lastpass customer, we’d recommend changing your master password per the company’s suggested best practices. If you still think your accounts might be at risk, start changing passwords starting with more sensitive accounts such as bank, cell phone plan, email and social media accounts and ensure multi-factor authentication is enabled wherever supported.