Popular password manager LastPass has admitted encrypted password vaults were stolen by hackers in an August data breach affecting the company’s millions of users.
The company denied that any sensitive data was accessed at the time, but now claims that the threat actor has since collected data which could be used to guess master passwords.
WATCH THE VIDEO ABOVE: Telstra customers exposed in data breach.
Watch the latest news and stream for free on 7plus >>
Hackers made copies of account information like phone numbers, billing and email addresses, as well as encrypted passwords.
No unencrypted master passwords, used to login to the password aggregate, were obtained, but by using the basic information, LastPass CEO Karim Toubba warned: “The threat actor may attempt to use brute force to guess your master password.”
If best password practices outlined by LastPass were followed by customers, the company said it would be “difficult” for the hackers to guess master passwords this way.
The people behind the hack may also attempt to decrypt the encrypted customer vault, Toubba said.
While the initial breach didn’t appear to access any sensitive customer data, it did access technical information which was used to target a LastPass employee, the company made known in November.
It is now clear that hackers were able to obtain “credentials and keys” from the employee “which were used to access and decrypt some storage volumes within the cloud-based storage service,” Toubba said on Thursday.
“The threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.”
“The threat actor was also able to copy a backup of customer vault data from the encrypted storage container.”
The company says this vault “contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.”
“There is no evidence that any unencrypted credit card data was accessed,” Toubba said.
The vault would need to be decrypted by hackers before passwords saved on the site and other sensitive information was accessed.
LastPass do not store master passwords, which are required have a minimum of 12-characters, nor does it store complete credit card data.
LastPass, which counts more than 25 million users, works by aggregating the hundreds of passwords consumers and corporate users need to log into their social media accounts, business networks, online retailers and more.
Security professionals routinely recommend using a unique, complex password for each and every website a person visits, so password managers like LastPass play an increasingly important role in keeping people’s data safe online.
What should customers do?
Some customers of LastPass are advised to change all of the passwords to the websites stored within their LastPass account, and ensure that their basic information does not provide clues to these new passwords.
By following the password-setting best practice guidelines provided by LastPass, it says “it would take millions of years to guess your master password using generally-available password-cracking technology”.
If your master password does not make use of LastPass defaults, “it would significantly reduce the number of attempts needed to guess it correctly.”
Other than ensuring you have followed those initial steps “there are no recommended actions that you need to take at this time”.
“We also recommend that you never reuse your master password on other websites,” Toubba said.
“If you reuse your master password and that password was ever compromised, a threat actor may use dumps of compromised credentials that are already available on the internet to attempt to access your account.”
If you’d like to view this content, please adjust your .