LastPass security breach leaked encrypted customer password vaults

LastPass running on Android
(Image credit: Windows Central | LastPass)

What you need to know

  • Password management software LastPass suffered a breach to its cloud servers in August 2022.
  • Customer data, including password vaults, names, IP and billing addresses, and phone numbers, are among the data recently confirmed stolen during the attack.
  • LastPass explains its 256-bit AES encryption makes it unlikely for attackers to gain access to stolen customer password vaults.
  • Credit card information was not included in the stolen data, stored separately in a safe location.

LastPass, the password management software designed for web browsers on desktop computers and mobile devices, confirmed the details of an authorized breach to its cloud storage servers and the encrypted data of digital customer vaults. In August 2022, LastPass announced that they had not accessed any customer data but that a thief had stolen the company's source code and other sensitive employee information.

In a new blog post (opens in new tab), LastPass reveals more information about the breach to promote its commitment to transparency. The actions of a single threat actor allowed them to hijack credentials and target other employees within the company, gaining access to decryption keys for the storage devices on the backup cloud storage network. Customer data in these backups include company and end-user names, billing and email addresses, phone numbers, and IP addresses.

Digital vaults store any and all passwords saved to the service, but LastPass maintains that there is no evidence of a significant threat to customer data. All data stored on the primary and backup servers use 256-bit AES encryption that users can only access with a unique key generated by their master password. LastPass never stores these master passwords anywhere, as per its zero-knowledge architecture.

Am I affected by the LastPass breach?

LastPass maintains that it doesn't store any complete credit card numbers and that information is stored separately from the affected backup servers. The hacker responsible may attempt to gain access to the hijacked data through brute force, but the encryption method makes the probability of success extremely unlikely.

If customers have followed best practices for their master password, including using alphanumerical strings with varying cases and special characters, it would potentially take millions of years to crack the code. You should take careful action if you're in doubt about any risks to your private information, so changing your passwords is still recommended.

What happens next?

To eliminate the risk of this kind of breach happening again, LastPass has completely rebuilt its development environment and implemented strict processes and authentication mechanisms. Behind the scenes, the company is striving to identify any suspicious activity within the cloud backup storage. They are also updating their safeguards and confirming exactly which data the breach accessed, including advising business customers on recommended action.

Out of caution, law enforcement officials have been notified, and other relevant authorities are involved in an ongoing investigation. LastPass has said that more updates will follow, but systems will continue to perform as usual for current customers. If you haven't been contacted by the company directly, you can contact them via the official app or support website (opens in new tab) to address any concerns.

Windows Central take

Any password breach is a cause for concern, but the comprehensive response and transparency from LastPass are somewhat relieving. 256-bit encryption should mean that any reasonably secure master password will keep customer vaults safe from attempted brute force access, but anyone affected should change their critical logins to be safe.

If this recent breach affected you enough to search for the best LastPass alternative, our colleagues within Windows Central use Enpass and Bitwarden to back up their passwords. No matter which service you choose, always strive to use lengthy and complex strings with a mix of letters, numbers, and symbols when accepted by the service.

Image (opens in new tab)

Enpass

Store and sync passwords via iCloud, Google Drive, OneDrive, Box, Dropbox, NextCloud, WebDAV, or completely offline.

Free from enpass.io (opens in new tab)

Image (opens in new tab)

Bitwarden

Secure cloud syncing lets you access your sensitive information from anywhere on any device and access unlimited passwords, across all platforms.

Free from bitwarden.com (opens in new tab)

Ben Wilson
Channel Editor

Ben is the channel editor for all things tech-related at Windows Central. That includes PCs, the components inside, and any accessory you can connect to a Windows desktop or Xbox console. Not restricted to one platform, he also has a keen interest in Valve's Steam Deck handheld and the Linux-based operating system inside. Fueling this career with coffee since 2021, you can usually find him behind one screen or another. Find him on Mastodon @trzomb@mastodon.online to ask questions or share opinions.