In his initial security incident notice (opens in new tab), LastPass CEO Karim Touba said that “we have seen no evidence that this incident involved any access to customer data or encrypted password vaults.” However, we’re now learning that the cloud storage service used by the company to store archived backups of production data was also breached by the attackers responsible. From here, the attacker used stolen source code and technical information from LastPass’ development environment to target one of its employees. After obtaining the employee’s credentials and keys, the attacker then used them to access and decrypt storage volumes stored within the company’s cloud storage. Touba also explained in his latest security incident notice that the attacker “was able to copy a backup of customer vault data from the encrypted storage container.” Although this vault data is “stored in a proprietary binary format,” it also contains unencrypted data like website URLs as well as “fully-encrypted sensitive fields” like website usernames and passwords, secure notes and form-filled data.
Stolen vault data is safe for now
Fortunately, the encrypted fields in this stolen data are secured with 256-bit AES encryption and “can only be decrypted with a unique encryption key derived from each user’s master password” according to Touba. It’s also worth noting that LastPass doesn’t know its customers’ master passwords, nor is this information stored or maintained by the company. While it appears that the passwords and other sensitive data stored by LastPass customers in their vaults is safe for now, Touba did warn that the attacker may try to brute force their master passwords in an attempt to decrypt their stolen vault data. However, due to the hashing and encryption methods used by the company, this “would be extremely difficult to attempt” – especially for customers who follow its best password practices (opens in new tab). At the same time, the attacker may try to target LastPass customers through phishing attacks, credential stuffing or other brute force attacks against the online accounts stored in their vaults. Touba also points out in his security incident notice that the company will never call, email or text customers or ask them to click on a link to verify their personal information in an effort to keep them safe from potential social engineering or phishing attacks. LastPass will also never ask you to provide your master password.
Should you delete your LastPass account?
As reported by BleepingComputer (opens in new tab), LastPass’ cloud storage breach is the second security incident disclosed by the company this year after it confirmed back in August that an attacker was able to breach its developer environment using a compromised employee account. If this is a bit unsettling as a LastPass customer, you may be thinking about deleting your account. While LastPass has been one of the best password managers for years now, these recent security incidents show how valuable hacking a company like this can be for an attacker (this is how to delete your LastPass account if you’re so inclined). If you don’t plan on deleting your LastPass account, you should at least pick a new master password, especially if your original one wasn’t complex or unique enough. To do so, you can use a password generator to create an even stronger one.
Other password managers worth considering
For those who feel they can no longer trust LastPass, there are plenty of great alternatives out there including 1Password, Dashlane and Keeper. 1Password costs the same as LastPass per month, Dashlane has an excellent desktop interface and with Keeper, Tom’s Guide readers can get an annual subscription for just $21 thanks to this promotion (opens in new tab). If you’re looking to save some cash, Bitwarden has a totally unlimited free version. While we normally recommend you don’t store your passwords in your browser, Chrome Password Manager is a great free option to hold you over until you make your final decision.