Skip links

LastPass admits attackers have a copy of customers’ password vaults

Password locker LastPass has warned customers that the August 2022 attack on its systems saw unknown parties copy encrypted files that contains the passwords to their accounts.

In a December 22nd update to its advice about the incident, LastPass brings customers up to date by explaining that the August 2022 attack saw “some source code and technical information were stolen from our development environment and used to target another employee, obtaining credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service.”

Those creds allowed the attacker to copy information “that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.”

The update reveals that the attacker also copied “customer vault” data – the file LastPass uses to let customers record their passwords.

That file “is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.”

Which means the attackers have users’ passwords. But thankfully those passwords are encrypted with “256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password”.

LastPass’ advice is that even though attackers have that file, customers who use its default settings have nothing to do as a result of this update as “it would take millions of years to guess your master password using generally-available password-cracking technology.”

One of those default settings is not to re-use the master password that is required to log into LastPass. The outfit suggests you make it a complex credential and use that password for just one thing: accessing LastPass.

Yet we know that users are often dumfoundingly lax at choosing good passwords, while two thirds re-use passwords even though they should know better.

So while LastPass is confident that the files copied from its cloud will resist brute force attempts to crack the master password, if that credential is already out there … you know how this one ends and it is not pleasant, as a LastPass account can store hundreds of passwords. ul class=”listinks”>

Oh and let’s not forget that the LastPass customer vault can also store plenty of other sensitive personal information.

LastPass therefore offered the following advice to individual and business users:

Enjoy changing all those passwords, dear reader.

LastPass’s update concludes with news it decommissioned the systems breached in August 2022 and has built new infrastructure that adds extra protections. ®