Popular password manager LastPass confirmed in a blog post that customers’ password vaults were stolen during a recent data breach.
LastPass said the hackers accessed encrypted vault data like website usernames and passwords, secure notes, and form-filled data. Also, other personal information was exposed in the breach, including billing information, email addresses, phone numbers, and IP addresses.
“We have learned that an unknown threat actor accessed a cloud-based storage environment leveraging information obtained from the incident we previously disclosed in August of 2022,” LastPass said in the blog post. “While no customer data was accessed during the August 2022 incident, some source code and technical information were stolen from our development environment and used to target another employee, obtaining credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service.
“We have determined that once the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from backup that contained basic customer account information and related metadata.”
LastPass reassured customers that the only way hackers can access their encrypted data is with the encryption key associated with customers’ master password. This is why it’s very important that all users have a unique and strong master password.
Even still, customers must be on alert for brute force attacks, which is when a hacker develops tons of possible password combinations to guess your password.
“The threat actor may attempt to use brute force to guess your master password and decrypt the copies of vault data they took,” LastPass said. “Because of the hashing and encryption methods we use to protect our customers, it would be extremely difficult to attempt to brute force guess master passwords for those customers who follow our password best practices.
“The threat actor may also target customers with phishing attacks, credential stuffing, or other brute force attacks against online accounts associated with your LastPass vault.”
LastPass provided a handful of steps customers can take to prevent hackers from accessing their vault information, which included creating a master password that is at least 12 characters long and never using your LastPass master password for any other website password.