Hackers obtained LastPass customer data vaults in recent data breach

On November 30, LastPass notified users that it was investigating an August "security incident" leading to user data theft.

Now, the LastPass CEO Karim Toubba has posted a blog informing users of the extent of what was stolen.

"To date, we have determined that once the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service," the blog post reads.

The hacker also created a copy of customer vault data, which the company maintains is "stored in a proprietary binary format." Some vault data, like website URLs, is not encrypted. Other data, like usernames and passwords, are "secured with 256-bit AES encryption," which the company maintains cannot be decrypted by hackers.

"[Encrypted data] can only be decrypted with a unique encryption key derived from each user's master password using our Zero Knowledge architecture," Toubba writes. "As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass."

While the company claims that it would be highly unlikely that the hackers could decrypt the data, it warns users that they could be targeted by phishing or social engineering attacks.

LastPass has come under fire for questionable security practices in the past.

In December 2021, LastPass members reported multiple attempted logins using correct master passwords from various locations. The company assured customers that attacks were a result of passwords leaked in third-party breaches.

In February 2021, a security researcher uncovered seven trackers within the LastPass Android app.