After a security breach earlier this year, LastPass has notified users of another security breach; this time somewhat more serious. The notification came to users via email or; if you happened to trip over it, a blog post published a couple of days ago.
Based on the aforementioned blog post, there is certainly reason to be concerned if you’re a LastPass user. Not only has a staff account been compromised, but user vault backups have also been stolen:
To date, we have determined that once the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.
The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data. These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass.
Here’s the kicker, while the vaults are encrypted, there is potential that your vault could be accessed by brute force. LastPass do not “know” or store master passwords for vaults. So, if your master password for your vault adhere’s to password best practice, you should be reasonably safe.
The blog post doesn’t make note of the two-factor authentication option, it stands to reason that it should provide further protection. If you’re worried, then your best bet is to begin changing your passwords ASAP with your critical accounts being the first priority.
If you’re a LastPass customer heading elsewhere: Let us know what service you’re moving to and what features won you over in the comments below.