Snippet: LastPass Says Hackers Stole Customers’ Password Vaults ☇

Zach Whittaker for TechCrunch:

In an updated blog post on its disclosure, LastPass CEO Karim Toubba said the intruders took a copy of a backup of customer vault data by using cloud storage keys stolen from a LastPass employee. The cache of customer password vaults is stored in a “proprietary binary format” that contains both unencrypted and encrypted vault data, but technical and security details of this proprietary format weren’t specified. The unencrypted data includes vault-stored web addresses. It’s not clear how recent the stolen backups are.

LastPass said customers’ password vaults are encrypted and can only be unlocked with the customers’ master password, which is only known to the customer. But the company warned that the cybercriminals behind the intrusion “may attempt to use brute force to guess your master password and decrypt the copies of vault data they took.”

Toubba said that the cybercriminals also took vast reams of customer data, including names, email addresses, phone numbers and some billing information.

At the very least, they can use your customer information to send phishing information for web sites that you actually have accounts with. At worst, they’d crack your master password and possibly gain access to everything. Happy holidays—go change your passwords if you’re a LastPass user!

Update: Pete Moore emailed me and has shared the following in a few places making this breach much, much worse (Jonty Wareing had a post on Mastodon to confirm):

Just read your post about this, and unfortunately it gets worse. LastPass was using legacy PBKDF version 1, which only uses 5,000 hash iterations instead of 100,000 in version 2. So much for doing the right thing by supporting and adhering to current security standards…

Yikes.