LastPass tells customers: Hackers stole encrypted password vaults

Hackers could try to brute force access to stolen records, company admits, as it advises customers to watch out for phishing attempts

LastPass disclosed on Thursday that hackers acquired its users' encrypted password vaults, which stored customers' passwords and other sensitive information, in a data breach in August this year.

In an updated blog post on the data breach, LastPass CEO Karim Toubba said that the attackers used cloud storage keys obtained from a LastPass employee to access a backup of customer vault data.

At the time, the business said that a threat actor had obtained unauthorised access to some parts of the password manager's development environment via a single compromised developer account and stole certain confidential LastPass technical data in addition to some source code. However, customers' master passwords, encrypted passwords, personal data, and other data kept in client accounts were unaffected, LastPass claimed at the time.

In November, LastPass disclosed that it discovered an intrusion that likely used data obtained in the security incident from August. Toubba said that the intrusion enabled a malicious actor to "gain access to certain elements" of client data.

In its latest update on Thursday, the firm said that hackers were actually able to gain access to customers' billing addresses, email addresses, phone numbers, company names, end-user names and IP addresses used to access LastPass services.

The hackers also stole a backup of customer vault data, which included encrypted data such as website usernames and passwords, secure notes, and form-filled data, and unencrypted data such as website URLs.

According to LastPass, password vaults for users are encrypted and can only be accessed with the user's master password, which is private to them.

However, the company cautioned customers that the hackers who carried out the attack may try to use brute force to guess their master password and decrypt the copies of vault data they obtained.

There is currently no evidence to suggest that unencrypted credit card data was accessed by hackers. LastPass said it doesn't store complete credit card data, and the data it does store is held in a separate cloud storage environment from the one the threat actor accessed.

According to LastPass, it has a 12-character minimum requirement for master passwords as of 2018, considerably reducing the likelihood of successful brute force password guessing.

The company strongly encourages users to never reuse their master password on other websites.

"If you reuse your master password and that password was ever compromised, a threat actor may use dumps of compromised credentials that are already available on the Internet to attempt to access your account," it said.

Customers are also advised to be especially watchful for phishing emails and phone calls that purport to come from LastPass or other services and ask users to disclose sensitive information.

Additionally, LastPass has specific guidance for business clients who use LastPass Federated Login Services.

It cautions that hackers would require lesser number of attempts to accurately guess master passwords for commercial customers who are not utilising Federated Login and whose master password does not make use of the suggested settings.

"In this case, as an extra security measure, you should consider minimizing risk by changing passwords of websites you have stored," the company says.