Best Top Reviews Online

Hackers Stole Encrypted LastPass Password Vaults, And We’re Just Now Hearing About It

Last month, the company disclosed that threat actors had gained access to “certain elements” of customer information. Just as many US employees are leaving for the holidays, the company reveals that their encrypted passwords were compromised.

LastPass has issued an updated statement regarding a recent data breach: the company, which promises to keep all of your passwords in one secure location, is now claiming that hackers were able to “copy a backup of customer vault data,” which means they theoretically now have access to all of those passwords if they can crack the stolen vaults (via TechCrunch).

If you use LastPass to store passwords and login information, or if you used to have one and didn’t delete it before this fall, your password vault could be in the hands of hackers. Nonetheless, the company claims that if you have a strong master password and the most recent default settings, you may be safe. However, if you have a weak master password or less security, the company recommends that you “consider minimizing risk by changing passwords of websites you have stored as an extra security measure.”

That could imply changing the passwords for all of the websites you trusted LastPass to store.

While LastPass insists that passwords are still secured by the account’s master password, given how it’s handled these disclosures, it’s difficult to believe it.

When the company announced the breach in August, it stated that it did not believe any user data had been accessed. Then, in November, LastPass announced that it had detected an intrusion, which appeared to be based on information stolen in the August incident (it would have been nice to learn about that possibility between August and November). Because of this intrusion, someone was able to “gain access to certain elements” of customer information. It turns out that those “certain elements” were, you know, the most important and secret information stored by LastPass. According to the company, there is “no evidence that any unencrypted credit card data was accessed,” but that would have been preferable to what the hackers got away with. At the very least, canceling a card or two is simple.

Customers’ vault backups were copied from cloud storage

We’ll get to the details later, but here’s what LastPass CEO Karim Toubba has to say about the vaults being taken:

The threat actor was also able to copy a backup of customer vault data from the encrypted storage container, which is stored in a proprietary binary format that contains both unencrypted data like website URLs and fully-encrypted sensitive fields like website usernames and passwords, secure notes, and form-filled data.

According to Toubba, the only way a malicious actor could access that encrypted data, and thus your passwords, is through your master password. According to LastPass, it has never had access to master passwords.

That’s why, according to him, “it would be extremely difficult to attempt to brute force guess master passwords,” as long as you had a very good master password that you never reused (and there wasn’t some technical flaw in the way LastPass encrypted the data — though the company has made some pretty basic security mistakes in the past). However, whoever has this data could attempt to unlock it by guessing random passwords, also known as brute force.

LastPass claims that using its recommended defaults should protect you from such an attack, but it makes no mention of any feature that would prevent someone from repeatedly attempting to unlock a vault over days, months, or years. It’s also possible that people’s master passwords are accessible in other ways — if they re-use their master password for other logins, it could have leaked out during previous data breaches.

It’s also worth noting that if you have an older account (before a newer default setting was introduced after 2018), your master password may have been protected by a weaker password-strengthening process. LastPass currently uses “a stronger-than-typical implementation of 100,100 iterations of the Password-Based Key Derivation Function,” but when a Verge staff member checked their older account using a link included in the company’s blog, it said their account was set to 5,000 iterations.

Perhaps the most concerning aspect is the unencrypted data, which includes URLs and could provide hackers with information about which websites you have accounts with. If they decide to target specific users, that information could be extremely useful when combined with phishing or other types of attacks.

If I were a LastPass customer, I would be dissatisfied with how the company has disclosed this information

While none of this is good news, it is all something that could happen to any company that stores secrets in the cloud. The name of the game in cybersecurity isn’t having a perfect track record; it’s how you respond to disasters when they occur.

And this is where I believe LastPass has fallen short.

Remember, this announcement is being made today, December 22nd — three days before Christmas, when many IT departments will be on vacation and people are unlikely to be paying attention to password manager updates.

(In addition, the announcement doesn’t get to the part about the vaults being copied until five paragraphs in. And, while some of the information is bolded, I believe it’s reasonable to expect such a major announcement to be near the top.)

According to LastPass, the vault backup was not initially compromised in August; rather, the threat actor used information from that breach to target an employee who had access to a third-party cloud storage service. The vaults were kept in and copied from one of the cloud storage volumes, along with backups containing “basic customer account information and related metadata.” That includes things like “company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service,” according to LastPass.

Toubba claims that as a result of the initial breach and the second breach that exposed the backups, the company is taking numerous precautions, including increasing logging to detect suspicious activity in the future, rebuilding its development environment, rotating credentials, and more.

That’s all well and good, and it should accomplish those goals. But, if I were a LastPass user, I’d seriously consider leaving the company at this point, because we’re looking at one of two scenarios here: either the company didn’t know backups containing users’ vaults were on the cloud storage service when it’s announced that it had detected unusual activity there on November 30th, or it did know and chose not to notify customers about the possibility that hackers had gained access to them. Neither of these looks good.

Why Trust Us?

Best Top Reviews Online was established in 2018 to provide our readers with detailed, truthful, and impartial advice on what to buy. We now have millions of monthly users from all over the world and annually evaluate over a thousand products.

The above article was written by the BestTopReviewsOnline team, which consists of some of the most knowledgeable technical experts in the United States. Our team consists of highly regarded writers with vast experience in smartphones, computer components, technology apps, security, and photography, among other fields.

Related Stories

  • All Post
  • Best Picks
  • Explainers
  • How To
  • News
  • Versus
WordPress Vulnerabilities Up 30 Percent in 2018

January 9, 2019

Despite fewer plugins being added to WordPress in 2017, the CMS platform experienced an increase in vulnerabilities in 2018. UPDATE In 2018, vulnerabilities in the popular content management system (CMS) WordPress increased by 30 percent, according to new research on…

LabKey Vulnerabilities Endanger Medical Research Information

January 25, 2019

LabKey Server version 18.3.0-61806.763, which was released on January 16, resolves all three vulnerabilities, so users should update immediately. Multiple cross-site scripting (XSS) attacks are possible due to the presence of three vulnerabilities in a popular open-source medical data collaboration…

Get more info



Best Products

Buying Guides

Contact Us

About Us

We provide a platform for our customers to rate and review services and products, as well as the stores that sell them. We research and compare the most popular brands and models before narrowing it down to the top ten, providing you with the most comprehensive and reliable buying advice to help you make your decision.

Disclaimer is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to As an Amazon Associate I earn from qualifying purchases.


Address & Map

20 S Santa Cruz Ave, Suite 300, Los Gatos, CA 95030, United States

© 2022 Pty. Ltd. All Rights Reserved. Licensing: All third-party trademarks, images, and copyrights used on this page are for comparative advertising, criticism, or review. As this is a public forum where users can express their opinions on specific products and businesses, the opinions expressed do not reflect those of