Skip to main content

LastPass on Thursday conceded customer data is significantly compromised as fallout grows from a previously disclosed breach in August.

An unknown threat actor accessed and copied a cloud-based backup of customer vault data, including encrypted passwords, usernames and form-filled data, CEO Karim Toubba said in a blog post.

“These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our zero knowledge architecture,” Toubba said.

The master password is not stored or maintained by LastPass, according to Toubba.

The escalation of compromise resulting from an incident almost four months ago suggests LastPass failed to contain the breach and its aftermath.

Toubba, in late November, warned “certain elements of our customers’ information” was accessed by a threat actor, but the company didn’t share the full scope of exposed data until three weeks later.

The backup of customer vault data also contains unencrypted data, such as the website URLs that customers access via the password manager, company names, billing addresses, email addresses, phone numbers, and the IP address customers use to access LastPass.

If LastPass’ default master password settings are followed, such as a minimum of 12 characters, “there are no recommended actions that you need to take at this time,” Toubba said. Through default settings, Toubba said it would take “millions of years” to guess a master password using generally-available technology for password cracking.

However, a threat actor may attempt to use brute force to guess master passwords and target customers with phishing attacks or credential stuffing.

LastPass is used by more than 33 million registered users and more than 100,000 business customers.