After being hacked in August for the second time in as many years, password manager app LastPass announced on Thursday that the latest attack was far more damaging than initially reported, as the attackers in some cases compromised with users’ password vaults got away. That means the thieves have the entire collections of people’s encrypted personal data, if not the immediate method to unlock them.
“During the August 2022 incident, no customer data was accessed,” said Karim Toubba, CEO of LastPass. However, some of the app’s source code was stolen and then used to trick a LastPass employee into revealing their credentials, and then used those keys to decrypt and copy “some storage volumes within the cloud-based storage service.”
The encrypted data obtained by the hackers included basic customer account information such as company names, billing, email, and IP addresses; and phone numbers, Toubba continued. “These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our zero-knowledge architecture,” said Toubba. “As a reminder, the Master Password is never known to LastPass and is not stored or maintained by LastPass.”
Still, will you take the company at their word? I’m not. It will be tedious, but swapping out all of your various existing site passwords for new ones — as well as choosing a new Master Password — might ultimately prove necessary to restoring your online security. Or you can just tell Lastpass to go ahead and switch to 1Password or Bitwarden.
All products recommended by Engadget are selected by our editorial team independently from our parent company. Some of our stories contain affiliate links. If you buy something through one of these links, we may receive an affiliate commission. All prices are correct at time of publication.