LastPass shares details about its breach — personal information and encrypted password vaults stolen

XDA

By Timi Cantisano

Published Dec 23, 2022

LastPass has issued a lengthy statement about the breach it experienced some months back. Simply put, things are not good.

A few weeks ago, LastPass issued a statement on its blog, sharing that it had experienced a breach. At the time, Karim Toubba, the CEO of LastPass, didn't get into all the details, only sharing that a security incident occurred with a third-party cloud storage service that LastPass utilizes. Now, the company is giving a detailed breakdown of what happened, and it's not good.

Toubba once again took to the company's blog to share what it had found with regard to the incident. According to the post, in this attack, customer data was not affected, but "source code and technical information" were stolen. Unfortunately, with this information, the attacker then targeted an employee, obtained credentials and keys that were used to decrypt and access information on the cloud-based storage service.

From here, the attacker was able to access account information like "end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service." Furthermore, customer vault data was obtained, which contained encrypted "website usernames and passwords, secure notes, and form-filled data."

So you might be asking yourself, what does this all mean exactly?

Well, there's some good news and bad news. As for the good news, the harvested data was encrypted, and does require the user's master password to decrypt. The bad news is that if the attacker has time, they can go through and try as many passwords as necessary to decrypt the data. LastPass does acknowledge that this is a possibility, but does state that it would be "extremely difficult," as long as the password itself is a complicated one.

LastPass also warns that phishing attacks could start becoming more common, in an attempt to catch customers off guard and extract master passwords. As far as what can be done now, it's really just about keeping on your toes and not falling prey to phishing attempts. If it seems out of the ordinary or suspicious, research it. LastPass has required 12 character passwords at a minimum for quite some time. But breaches like this can happen and when they do, it really does put things into perspective.

The company does try and give some assurance though, stating it would take millions of years to try and guess a complex password. Of course, this really shouldn't put your mind at ease since there is someone out there with your encrypted data. LastPass has made changes to its infrastructure, in order to prevent breaches in the future and has contacted high risk business customers with instructions.

Source: LastPass