LastPass data breach: Hackers copied your password vault and personal info

LastPass – a password manager and generator meant to safeguard your online information in a secure vault – warned customers of a recent data breach.

The cybersecurity company said an “unauthorised party” recently gained access to a third-party cloud-based storage service.

LastPass data breach

The storage service is used for archived backups of LastPass’ production data and unfortunately also contained a copy of backup customer vault data.

In addition to accessing user passwords, the hackers also stole a large volume of other data, such as user names, email addresses, phone numbers and billing information.

The data breach occurred in August 2022, which included “some source code and technical information stolen from our development environment”.

Password vaults stolen

LastPass said the information was stolen by the hackers “to target another employee, obtaining credentials which were used to access and decrypt some storage volumes within the storage service”.

“The [hacker] copied information from the backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service”.

That said, LastPass assured users that their master password is “secure” because it is not even known to the company and “not stored or maintained by LastPass”.

ALSO READ: How to keep hackers out of your Twitter account and your reputation

Is there a security threat to you?

LastPass CEO Karim Toubba  said the hackers “may attempt to use brute force to guess your master password and decrypt the copies of vault data they took”.

However, the chances of the hacker guessing the password is slim due to the “hashing and encryption methods we use to protect our customers”.

“It would be extremely difficult to attempt to brute force guess master passwords for those customers who follow our password best practices”.

Moreover, LastPass suggests never reusing your master password on other websites

LastPass said if you followed their guidelines, “it would take millions of years to guess your master password using generally-available password-cracking technology”.

What should you do now?

Due to the company’s security measures, LastPass said “there are no recommended actions that you need to take at this time”.

The company incorporated a twelve-character minimum for master passwords back in 2018, which makes it harder to crack.

It also uses “a stronger-than-typical implementation of 100,100 iterations of the Password-Based Key Derivation Function (PBKDF2)”.

This is a password-strengthening algorithm which makes it difficult to guess your master password.

Going forward

Meanwhile, LastPass said since the breach was found, they’ve “eradicated any further potential access to the LastPass development environment”.

The company did this by “decommissioning that environment in its entirety and rebuilding a new environment from scratch”.

“We have added additional logging and alerting capabilities to help detect any further unauthorised activity”.

LastPass said it is working with law enforcement and relevant regulatory authorities as the investigation continues.

Make sure you follow best-password practices by following our guide.

World password day: Simple ways to improve your online security