In the updated blog dedicated to after disclosing this information, LastPass CEO Karim Toubba said that attackers copied a cloud backup of customer storage data using keys stolen from a LastPass employee.
The customer password store cache is stored in a “proprietary binary format” that contains both unencrypted and encrypted data, but the technical and security details of this proprietary format were not disclosed. Unencrypted data includes web addresses stored in the vault, but LastPass isn’t saying more. It’s also not clear how recent the stolen backups are.
LastPass stated that customer password vaults are encrypted and can only be unlocked with the user’s master password, which is known only to the user. But the company warned that the cybercriminals behind the breach “may attempt to use brute force to guess your master password and decrypt the copies of vault data they took.”
Toubba said cybercriminals also stole massive amounts of customer data, including names, email addresses, phone numbers and some payment information.
Password managers in the vast majority of cases are good to use for storing passwords that must be long, complex and unique for each site or service. But incidents like this are a reminder that not all password managers are created equal and can be attacked or compromised in a variety of ways.
The best thing LastPass users can do right now is to change their current master password to a new, unique one that will be written down and stored in a safe place.
If you believe your LastPass password vault may have been compromised — for example, if your master password is weak or you’ve used it elsewhere — you should start changing the passwords stored in your LastPass vault.
The good news is that any account protected by two-factor authentication will make it much more difficult for attackers to gain access to LastPass user accounts, even if their master password has been guessed. This is why two-factor authentication is really important.