A data breach incident affecting the password manager (opens in a new tab) The company confirmed earlier this year that scammers were stealing encrypted password vaults belonging to customers.
The password vault is where people store their passwords, so if attackers found a way to decrypt the vaults, they would be able to read all the passwords stored there.
in update (opens in a new tab) published on the LastPass blog, CEO Karim Toubba said that cybercriminals used cloud storage keys stolen from a LastPass employee to access and exfiltrate customer vault data. The stolen data is a combination of encrypted intelligence – password vaults and unencrypted information – stored in the vault of web addresses, names, email addresses, phone numbers, and in some cases, billing information.
Master password secure
The good news is that password vaults are stored in a “proprietary binary format”, meaning their contents are almost impossible to read. For this, the attackers would need the client’s master password, which no one but the user knows (hopefully). LastPass claims not to know this information.
“These encrypted fields remain secured with AES 256-bit encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture,” said Toubba. “For the record, the master password is never known to LastPass and is not stored or maintained by LastPass.”
However, the company warns that cybercriminals “may try to use brute force to guess the master password and decrypt vault copies,” which could be a problem if users have created weak and easy-to-guess master passwords.
For those who are concerned that their master password might be compromised, the best thing to do right now would be to change it to something more robust. If you have reason to believe that the contents of your vault may be compromised, changing your passwords is the only way to stay safe (other than setting up multi-factor authentication whenever possible).