Password manager giant LastPass has confirmed that it was the victim of a data hack earlier this year.
The LastPass CEO said in an updated post that the intruders took a copy of a backup of customer data by using cloud storage keys stolen from a LastPass employee. Technical and security details of the proprietary format of the cache of customer password vaults weren't given. The vault-stored web addresses are not included in the data. It is not clear how old the backups are.
The master password is the only password that can be unlocked from the password vaults. The company warned that the criminals may try to use brute force to guess your master password and steal your vault data.
Customer data, including names, email addresses, phone numbers and some billing information, was taken by the criminals.
Password managers are a great way to store your passwords, which should be long, complex and unique to each service. Not all password managers are created the same and can be attacked in different ways. No one will have the same requirements as the other.
If a bad actor gained access to a customer's password vault, they would need the customer's master password. Password vaults are only as strong as the password used to scramble them.
The best way to change your LastPass master password is to write it down and keep it in a safe place. This means that your vault is safe.
You should change the passwords in your LastPass vault if you think that your LastPass password vault could be compromised. Work your way down the priority list by starting with the most critical accounts, such as your email accounts, cell phone plan accounts, bank accounts and social media accounts.
The good news is that if your account is protected with two-factor authentication, it will make it harder for an attacker to access it without that second factor, such as a phone pop-up or a text or email code. It is important to secure your email accounts and cell phone plan accounts first.
Parsing LastPass’ data breach notice