The Lastpass hack was worse than the company first reported

After being hacked for the second time in as many years this August, password manager app Lastpass announced on Thursday the most recent intrusion was much more damaging than initially reported with the attackers having made off with users’ password vaults in some cases. That means the thieves have people’s entire collections of encrypted personal data, if not the immediate method to unlock them.

“No customer data was accessed during the August 2022 incident,” LastPass CEO Karim Toubba, explained. However, some of the app’s source code was lifted and then used to spearphish a Lastpass employee into giving up their access credentials, then used those keys to decrypt and copy off, “some storage volumes within the cloud-based storage service.”

Among the encrypted data obtained by the hackers included basic customer account information like company names, billing, email and IP addresses; and telephone numbers, Toubba continued. “These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture,” Toubba said. “As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass.” 

Still, you’re going to take the company’s word for it? I’m not. It’ll be a pain but swapping out all of your various existing site passwords for new ones — as well as picking a new master password — might ultimately prove necessary to regain your online security. Or you could just tell Lastpass to go kick rocks and switch over to 1Password or Bitwarden.