The password manager giant LastPass has confirmed that its encrypted password vaults were compromised for a second time this year.
In a blog post, LastPass CEO Karim Toubba said that attackers have a copy of a backup of customer vault data stolen. The company says the threat actor accessed the cloud storage service based on information from the August 2022 breach to target an employee who had access to a third-party cloud storage service.
The threat actor copied information from the backup that contained basic customer account information “including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service” according to LastPass.
The company said the intruder was also able to “copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields” such as website usernames and passwords.
What information do attackers have? If you are a LastPass customer, hackers now have the names, billing addresses, and all websites you saved the passwords for at LastPass.
How bad is the breach? A Twitter user who identified as a LastPass engineer some seven years ago said: “This is the worst breach LastPass has had” and added that customer vaults were accessed this time, which are kept in a completely separate database.
LastPass customers took to Twitter to express their frustration and share their experiences.
Are your passwords at risk?
LastPass said customers’ password vaults are encrypted and can only be unlocked with the master password, which is only known to the customer and not stored or maintained by LastPass. The company says that if its customers use the default settings for their master passwords, “it would take millions of years to guess your master password using generally-available password-cracking technology.”
However, they also warned that the cybercriminals behind the intrusion “may attempt to use brute force to guess your master password and decrypt the copies of vault data they took.” The company has asked customers to be wary of phishing attacks, where someone who appears to represent LastPass sends you an email seeking your password. “LastPass will never call, email, or text you and ask you to click on a link to verify your personal information” and will never ask for your master password other than when signing into your vault from your account, it said.
What should LastPass customers do?
There are “no recommended actions that you need to take at this time,” if the customers are using the default settings, according to the company. Toubba says “it would be extremely difficult” for hackers to attempt to guess your master passwords because of the robust encryption methods. But if you have a weak master password, the firm suggests adding an extra security layer by changing the passwords of websites you have stored. LastPass also recommends users never to reuse their master password on other websites and accounts.
Experts advise changing your current LastPass master password following the security breach and keeping it safe by writing it down.
Should you still use password managers?
Cybersecurity experts say yes despite the latest breach. “A password manager is still right choice in comparison to alternative. And a cloud-native offering like LastPass strongly hedges against data loss by normal users trying to manage their own vault. That is an undersold primary risk, not hackers” wrote the cybersecurity account SwiftOnSecurity.
Some Twitter users also recommended using an open source password manager.
