LastPass today revealed that hackers had stolen customers’ vault data in the breach that happened earlier this year – after previously stating that only some part of their data was stolen.
The breached vault data contained both unencrypted and encrypted data, so LastPass warned customers to be vigilant about potential cyberattacks on their accounts. If you’re a LastPass customer and have a strong password set, you still need to change your password for good.
LastPass Customer Vault Data
Announcing a data breach incident for the third time – LastPass says that its customers’ vault data has been breached in a previous hack – compromising the sensitive data stored in them.
In August 2022, LastPass suffered a data breach of its developer environment – where the hacker gained access using stolen credentials from a previous breach. This led ‘certain elements’ of the customer account to be breached, said LastPass.
Well, the company now comes with another notification saying that customers’ vault data too has been compromised. LastPass said the breached cloud storage service it used had archived backups of production data stored in them, which includes the vault data.
The company the vault included both unencrypted data like the website URLs and fully-encrypted sensitive data like the website usernames, passwords, secure notes, and form-filled data.
These can only be decrypted with a unique encryption key derived from each user’s master password – which LastPass too doesn’t have due to its Zero-Knowledge architecture. So it’s all based on the customer’s set passwords’ strength, which would make the hacker’s job easier or harder.
If you’ve followed the LastPass recommendations for setting the password, the hacker would need millions of years to crack the password with existing technology. Else, it would be easy for him if you used a regular password.
Whatever, LastPass warns customers about potential brute force attacks on their passwords, so stay vigilant and smart.