LastPass Breach Exposes Customer Password Vaults

Eric Goldstein
Eric Goldstein Chief Editor
Eric Goldstein Eric Goldstein Chief Editor

Popular password manager LastPass confirmed in a blog post that customers’ password vaults were stolen during a recent data breach.

LastPass said the hackers accessed encrypted vault data like website usernames and passwords, secure notes, and form-filled data. Also, other personal information was exposed in the breach, including billing information, email addresses, phone numbers, and IP addresses.

“We have learned that an unknown threat actor accessed a cloud-based storage environment leveraging information obtained from the incident we previously disclosed in August of 2022,” LastPass said in the blog post. “While no customer data was accessed during the August 2022 incident, some source code and technical information were stolen from our development environment and used to target another employee, obtaining credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service.

“We have determined that once the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from backup that contained basic customer account information and related metadata.”

LastPass reassured customers that the only way hackers can access their encrypted data is with the encryption key associated with customers’ master password. This is why it’s very important that all users have a unique and strong master password.

Even still, customers must be on alert for brute force attacks, which is when a hacker develops tons of possible password combinations to guess your password.

“The threat actor may attempt to use brute force to guess your master password and decrypt the copies of vault data they took,” LastPass said. “Because of the hashing and encryption methods we use to protect our customers, it would be extremely difficult to attempt to brute force guess master passwords for those customers who follow our password best practices.

“The threat actor may also target customers with phishing attacks, credential stuffing, or other brute force attacks against online accounts associated with your LastPass vault.”

LastPass provided a handful of steps customers can take to prevent hackers from accessing their vault information, which included creating a master password that is at least 12 characters long and never using your LastPass master password for any other website password.

About the Author
Eric Goldstein
Eric Goldstein
Chief Editor

About the Author

Eric Goldstein is Chief Editor at SafetyDetectives. As an internet security researcher and IT journalist, he has over 3 years of experience writing and editing articles and blog posts about VPNs, parental controls, and other cybsersecurity products and tools. In addition, Eric writes and edits news stories focused on cybersecurity issues for SafetyDetectives. He also spent 20+ years as a sportswriter for multiple media outlets and served in a communications role for a national corporation. When he's not working, he can be found spending time with his family, working out, and watching his favorite sports teams.