LastPass is warning the hacker could gain access to the encrypted password vaults by trying to find ways to uncover customers’ master passwords.
Well, it’s bad. LastPass has lost a copy of customers’ encrypted password data to a hacker, who recently breached the company’s systems.
The hacker looted the password data by copying a “backup of customer vault data” from an encrypted storage container during the intrusion, LastPass said on Thursday.
The company supplied the update three weeks after LastPass announced it had suffered a breach that led to the hacker stealing customer information. At the time, it remained unclear what user data was ensnared, but now LastPass is revealing that the breach is about as bad as it can get.
The stolen vault data contained “fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data,” along with unencrypted website URLs.
LastPass is emphasizing that the stolen vault data remains protected because it’s been secured with 256-bit AES encryption. To decrypt the data, the hacker would need the vault’s master password — something only the customer should know. “As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass,” the company said.
