Popular password manager LastPass disclosed that hackers accessed customers’ password vaults in a previously disclosed data breach from August of this year. In LastPass’s initial investigation, the company found that an unknown threat actor accessed cloud backups and that no customer information was believed to have been breached.
In an update to the disclosure, LastPass CEO Karim Toubba announced that the hackers took copies of backups stored in the cloud and accessed encrypted and unencrypted customer data.
Toubba assured customers that encrypted data is only accessible through an encryption key derived from the master password and that the master password is not stored or known by LastPass. However, Toubba warned customers that hackers might use brute force or “credential stuffing” to access customers’ accounts.
If customers followed the default guidelines, Toubba said it “would take millions of years to guess your master password using generally-available password-cracking technology.”
The hackers also took customers’ names, emails, phone numbers, and some billing information, said Toubba, but credit card information was untouched.
Cyberattacks will continue to rise in the new year, and organizations and consumers should be on the watch. Basic security measures like using long and unique passwords for every website and changing passwords regularly can minimize the risk of having secure information stolen.