LastPass Customer Vault Data Stolen – How to Recover from this Attack
Password manager company LastPass have confirmed that customer vault data was stolen in a recent cyber attack. Hackers targeted LastPass’s cloud storage backups at the end of November 2022, where they were able to obtain personal customer information including encrypted passwords. The cyber criminals were able to carry out this data breach due to information they had already stolen back in August 2022 in an attack they performed on the LastPass developer environment. In the August attack cyber criminals stole “cloud storage access key and dual storage container decryption keys”, as well as source code, that allowed them to perform the November attack.
Both encrypted and unencrypted data was stolen from a cloud backup of customer vault data, including plain-text website URLs and encrypted usernames and passwords, secure notes, and form-filled data.
The other data stolen includes basic customer account information such as:
Company names
End-user names
Billing addresses
Email addresses
Telephone numbers
IP addresses from which the LastPass service was accessed
The encrypted username and password data is believed to be unable to be decrypted by the cyber criminals, as each user account has a unique encryption key that is created based on their master password. The master password is not stored anywhere on LastPass servers and so if attackers wanted to access the sensitive data they would have to brute force the master passwords, which LastPass CEO Karim Toubba has said would take “millions of years” based on current password guessing technology.
However, this claim is based on if users follow the strong password guidelines LastPass suggest for the creation of a master password. If these guidelines have not been followed then your master password would be easier to guess, and your data could be more easily decrypted. When the stronger password policy was enforced in 2018 for LastPass master passwords, this was not applied to existing accounts, and so some users may be at risk due to having a less complex and more easy-to-crack master password.
If you now change your master password to be a stronger password, this can help protect your data in any future similar attack, however it will not affect the data that has already been stolen. To protect data that has already been stolen, all individual passwords for each site should be changed that were previously stored in LastPass at the time of the attack. If the recent data breaches have made you want to move to a different password manager, it is possible to recover your data from LastPass to move it across to a new provider, however in order to protect your accounts all passwords should still be changed individually.
To move your current passwords to a new provider, first log into lastpass.com with your login details, then open ‘Advanced Options’ from the left hand menu. Under the heading ‘Manage your vault’ will be the option to ‘Export’. Clicking this will ask you for your login details again, and then you will be able to view your data, which can be saved as a .CSV file. You should not keep this file of passwords longer than is necessary and should enter them into a new password manager as soon as possible, such as DashLane, 1Password, or BitWarden, then delete the .CSV file permanently. You can now go through each website you hold an account with and change each password individually to make sure they are not compromised.