>
The data breach incident that hit Password Manager (opens in new tab) LastPass earlier this year saw the thieves steal encrypted password vaults from customers, the company has confirmed.
The password vault is where people store their passwords, so if the attackers find a way to decrypt the vaults, they can read all the passwords stored in them.
In a Updating (opens in new tab) Posting on the LastPass blog, CEO Karim Toubba said the attackers used cloud storage keys stolen from a LastPass employee to access and exfiltrate customer vault data. The stolen data is a combination of encrypted information – password vaults and unencrypted information – web addresses, names, email addresses, phone numbers and in some cases billing information stored in the vault.
Master password safe
The good news is that the password vaults are stored in a “proprietary binary format”, which means it’s almost impossible to actually read the contents. To do that, the attackers need the client’s master password, which (hopefully) no one knows except the user. LastPass claims not to know this information.
“These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture,” said Toubba. “As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass.”
Still, the company warned that cybercriminals “may try to use brute force to guess your master password and decrypt the copies of vault data they’ve made,” which could be a problem if the users created weak and easily guessable master passwords.
For those worried that their master password could be cracked, the best thing to do right now would be to change it to something more resilient. If you have reason to believe that the contents of your vault may have been compromised, changing the passwords is the only way to stay safe (aside from setting up multi-factor authentication where possible).