LastPass breach: Hacker stole passwords, company says

In August, LastPass, one of the leading password manager services, announced that its servers had been hacked.

Over the Christmas holiday, LastPass discussedjust how bad a leak it really was.

At the time of the hack, LastPass said in a blog post that its initial investigation showed that while a hacker gained access to its development environment, "no evidence that this incident involved any access to customer data or encrypted password vaults."

Since August, LastPass has made three updates to that blog. The latest, released on December 22, revealed that the hacker involved was able to gain access to "backup customer vault data."

That includes "both unencrypted data, such as website URLs, as well as fully-encrypted, sensitive fields such as website usernames and passwords, secure notes, and form-filled data," the blog post reported.

That said, LastPass’ post adds, those fields remain encrypted, and "can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture."

LastPass users’ master passwords are not stored or maintained by the company, nor are they known to the company. 

Mashable Light Speed Want more out-of-this world tech, space and science stories? Sign up for Mashable's weekly Light Speed newsletter. By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy Policy. Thanks for signing up!

SEE ALSO: The best password managers for all your online accounts

Could hackers get into LastPass passwords and data?

Though LastPass uses a minimum 12-character master password, which includes symbols, numbers and capital letters, hackers could attempt to get into the data using a brute force attack – that is, to employ software to guess combinations until getting it right. 

LastPass says that if its customers use the default settings around their master password, "it would take millions of years to guess your master password using generally-available password-cracking technology."

However, according to Inc,customers should be wary of phishing attacks, where someone who appears to represent LastPass sends you an email seeking your password. 

What should LastPass users do about the breach?

According to LastPass, there are "no recommended actions that you need to take at this time," should customers be using the default settings.

---

Related Stories

---

• What is Hermit spyware and how do you protect yourself from it?
• Bumble makes cyberflashing detection tool available as open-source code
• Twitter hack shows need for cybersecurity regulations, govt. report says
• Just get a password manager already — here are the best options
• This $20 lifetime subscription adds a fully-functional second number to your phone

However, the site adds that those who don’t use the default settings should consider changing passwords stored there.

Regarding phishing attacks, LastPass says they will never email or contact users seeking their password information. 

What is a password manager?

A password manager stores your online credentials within one program. This allows users to not have to remember complex passwords, while also allowing them to keep said passwords complex. 

Besides LastPass, some of the better-known password managers include 1Password, BitWarden, Dashlaneand NordPass.