Password management giant LastPass has confirmed that cybercriminals stole customers’ encrypted password vaults, which store customers’ passwords and other secrets, in a data breach earlier this year.
In an updated blog post At the unveiling, LastPass CEO Karim Toubba said the intruders made a copy of a backup of customer vault data using cloud storage keys stolen from a LastPass employee. Client password vault caches are stored in a “proprietary binary format” that contains both unencrypted and encrypted vault data, but technical and security details of this proprietary format are not specified. The unencrypted data includes web addresses stored in the vault, but LastPass doesn’t say more or in what context. It is not clear how recent the stolen backups are.
LastPass said customers’ password vaults are encrypted and can only be unlocked with the customer’s master password, which is known only to the customer. But the company warned that the cybercriminals behind the breach “could attempt to use brute force to guess your master password and decrypt the copies of vault data they made.”
Toubba said the cybercriminals also stole huge amounts of customer data, including names, email addresses, phone numbers and some billing information.
Password managers are overwhelmingly good to use for storing your passwords, all of which should be long, complex, and unique to each site or service. But security incidents like this remind us that not all password managers are created equal and can be attacked or compromised in different ways. Since everyone’s threat model is different, no one will have the same requirements as the other.
In a rare situation (not a typo) like this one – which we detailed in our analysis of the LastPass Data Breach Notice – if a malicious attacker has access to customers’ encrypted password vaults, “they only need the victim’s master password.” An exposed or compromised password vault is only as strong as the encryption — and password — used to encrypt it.
The best thing you can do as a LastPass customer is to change your current LastPass Master Password to a new and unique password (or passphrase) that you write down and keep in a safe place. This means that your current LastPass vault is secure.
If you think your LastPass Password Vault may have been compromised, such as if your Master Password is weak or you have used it elsewhere, you should start by changing the passwords stored in your LastPass Vault. Start with the most critical accounts, such as your email accounts, cell phone plan, bank accounts, and social media accounts, and work your way down the priority list.
The good news is that any account secured with two-factor authentication will make it much more difficult for an attacker to access your accounts without that second factor, such as a pop-up on the phone or a text or email code. That’s why it’s important to secure those second-factor accounts first, like your email accounts and mobile phone subscription accounts.
