Password manager LastPass has just announced that an “unauthorized party” has gained access to LastPass users’ sensitive information and data.
According to LastPass CEO Karim Toubba, the hacker was able to obtain and copy user data which contained “basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.”
However, Toubba assured users that the data accessed are secured with 256-bit AES encryption and can only be decrypted with the user’s master password (which Toubba reminds is never known to LastPass and is not stored or maintained by LastPass).
Toubba says that while the threat actor may attempt to use “brute force” to guess users’ master passwords and decrypt the data, it would be extremely difficult to attempt and succeed at doing so.
LastPass still recommends, however, that its customers follow their password best practices such as never reusing your master password on other sites or taking advantage of LastPass’ twelve-character minimum and creating a strong password.