In August, LastPass, one of the leading password manager services, announced that its servers had been hacked.
Over the Christmas holiday, LastPass discussed just how bad a leak it really was.
At the time of the hack, LastPass said in a blog post that its initial investigation showed that while a hacker gained access to its development environment, “no evidence that this incident involved any access to customer data or encrypted password vaults.”
Since August, LastPass has made three updates to that blog. The latest, released on December 22, revealed that the hacker involved was able to gain access to “backup customer vault data.”
That includes “both unencrypted data, such as website URLs, as well as fully-encrypted, sensitive fields such as website usernames and passwords, secure notes, and form-filled data,” the blog post reported.
That said, LastPass’ post adds, those fields remain encrypted, and “can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture.”
LastPass users’ master passwords are not stored or maintained by the company, nor are they known to the company.
Could hackers get into LastPass passwords and data?
Though LastPass uses a minimum 12-character master password, which includes symbols, numbers and capital letters, hackers could attempt to get into the data using a brute force attack – that is, to employ software to guess combinations until getting it right.
LastPass says that if its customers use the default settings around their master password, “it would take millions of years to guess your master password using generally-available password-cracking technology.”
However, according to Inc, customers should be wary of phishing attacks, where someone who appears to represent LastPass sends you an email seeking your password.
What should LastPass users do about the breach?
According to LastPass, there are “no recommended actions that you need to take at this time,” should customers be using the default settings.
However, the site adds that those who don’t use the default settings should consider changing passwords stored there.
Regarding phishing attacks, LastPass says they will never email or contact users seeking their password information.
What is a password manager?
A password manager stores your online credentials within one program. This allows users to not have to remember complex passwords, while also allowing them to keep said passwords complex.