Lastpass, a password management service provider has suffered a major data breach in which hackers have gained access to backup of customer vault data. The hackers may get access of user passwords if they can crack the stolen password vaults. LastPass vault secrets (logins and passwords) are encrypted, however, website URLs and other metadata are not encrypted. As a result, some stolen information could be used as targeted attacks against users. Information obtained from a source code leak and a Twilio data breach provided the attackers with information to break into the cloud infrastructure, which stored customer data.
LastPass has been criticized for storing its vault data in a hybrid format where items like passwords are encrypted but other information, like URLs, are not. In this situation, the plaintext URLs in a vault could give attackers an idea of what’s inside and help them to prioritize which vaults to work on cracking first. The user selected master password, pose a particular problem for users seeking to protect themselves in the wake of the breach, because changing that primary password now with LastPass won’t do anything to protect the vault data that’s already been stolen.
As a remedial step the lastpass users should go through their vaults and take extra steps to protect themselves—including changing all of their passwords.