In a blog post on December 21, we reported that LastPass was hacked.  The password management solution company stated that “Elements of our customers’ information” were compromised. Despite the breach, LastPass said that no password information was stolen. In the days since, it has been discovered that not only has password data been stolen, it’s just about as bad as it could get.

LastPass has revealed that the hacker responsible for the attack actually obtained a “backup of customer vault data” from an encrypted storage container. Essentially, if the hacker can gain access to users’ master passwords, they’ll unlock a gold mine of sensitive password information.

According to the company, the vault that was stolen included “fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data,” as well as unencrypted website URLs.

If there is a silver lining, the password solution company maintains that all user vault data remains protected because it is secured with AES encryption. The only way that the attacker would be able to access the information in the vault is with a user’s master password – which LastPass does not store. According to LastPass, “As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass.”

A concern is that the threat actor could breach accounts using hacking techniques such Phishing or Brute Force.  LastPass however, emphasizes that a Brute Force attack would be a complex way for the hacker to be successful if the master password is complex. The company requires all of their users to employ a password that is at least 12 characters long.

In addition to these new details, LastPass previously reported that customer data had been compromised. This data included email addresses, phone numbers, billing addresses and IP addresses. Having this information would make it much less difficult for the attacker to potentially trick users into inadvertently sharing password information through a Phishing attack.

In a statement to help users protect against Phishing attacks, LastPass is warning: “It is important to know that LastPass will never call, email, or text you and ask you to click on a link to verify your personal information. Other than when signing into your vault from a LastPass client, LastPass will never ask you for your master password.”

“We are also performing an exhaustive analysis of every account with signs of any suspicious activity within our cloud storage service, adding additional safeguards within this environment,” LastPass said.

For added peace-of-mind, LastPass says that affected users can change any passwords in their vault, and also activate two-factor authentication for internet accounts that apply. They add that as long as users are following best practices and implement a complex master password, no further action is needed. With that said, a breach of this magnitude has to shake to confidence of their customer base – leaving them to question whether LastPass can provide a safe password experience for them in the future. Only time will tell.

Story via PC Magazine