LastPass Admits Hackers Stole Customer Password Vaults


  • Hackers got access to customer passwords
  • Sensitive data in the leak are encrypted
  • Hackers would need the customer’s master password to unencrypt them

lastpass vault

The popular password manager LastPass has confirmed that hackers stole its customer’s encrypted password vaults, which store its customer’s passwords and other info.

LastPass CEO Karim Toubba admitted in a recent blog post that hackers could access customer vault data and successfully copy a backup of it.

LastPass mentioned that while there are unencrypted data fields such as website URLs, sensitive data such as usernames and passwords remain encrypted. These are encrypted by the user’s master passwords, which the company doesn’t store on its servers. This means that even if your data is leaked, the hacker would need your LastPass master password to access your usernames and passwords.

While the hackers don’t have your passwords and usernames, they could brute force the master password and find their way into your vault. So, all is not well.

LastPass advises you to change your master password if it is weak. It said, “as an extra security measure, you should consider minimising risk by changing passwords of websites you have stored.”

Back in August, when LastPass first disclosed it was hacked, it told users not to worry as passwords and vault were not compromised. This new disclosure from the company backtracks on that report as it this new disclosure from the company is from the same incident.

The report shows that the hackers gained access to an employee’s cloud access key. With that, they were able to get a copy of customer vault data from the encrypted storage container. It is stored in a proprietary binary format containing encrypted and unencrypted data.

This is terrible news for LastPass and its customers. This is the exact scenario that I fear if I’m a password manager. LastPass failed at precisely what it swore to protect its users from. If I were still using LastPass, I would be very pissed at them and switch over to other password managers. Also, for revealing this info just now, rather than mentioning it in the previous report.

If you’re looking for a free, open-source alternative to LastPass, you can go with Bitwarden.