Password managers are something like the holy grail for hackers. Once they gain access to a service like that, they get a free pass to their target’s full online life. This nightmare scenario was confirmed to have occurred at LastPass, with hackers having obtained encrypted copies of password vaults following an attack in August. Only users’ master passwords remain as the last line of defense.

LastPass published a blog post detailing the incident (via TechCrunch). The revelation is related to the August incident, where hackers stole LastPass source code and further data. Back then, LastPass said that user data was unaffected and that the hackers only gained access to a testing environment. However, the hackers then used this data to compromise the account of a LastPass employee, and they were subsequently able to obtain backup copies of user vaults.

LastPass says that while these copies include some unencrypted fields, like website URLs, other sensitive information such as usernames and passwords are encrypted. This data is protected by users’ master passwords, which LastPass doesn’t store on any of its own servers. However, with the vaults now in the hands of hackers, it’s possible they could use brute force to guess the right password.

As long as you never reused your password and followed LastPass's best practices for password creation, the company says you should be safe. With a good password, it could take hundreds or even millions of years to get the right combination.

You should still be wary of phishing attempts trying to extradite your master password from you, though. With website URLs leaked, hackers could try to use phishing to get access to individual accounts interesting to them. LastPass or any of the services you use will never reach out to you and ask you to confirm your password.

The revelation that LastPass vaults were obtained by hackers came at an inconvenient time, with the company releasing details just a few days before Christmas. Many IT departments in charge of companies' password security might already be on vacation, and private users could be more concerned about visiting family than their passwords. It also doesn’t help that LastPass’s blog post doesn’t cut to the point straight away, going on about the history of the attack in the first few paragraphs rather than saying that vaults have been obtained at the top.

Security researcher and AdBlock Plus creator Wladimir Palant cautions LastPass users that their data might be much less secure than what the company wants to make them believe. In a detailed blog post, the researcher makes clear that LastPass never enforced its newer 12-character master password requirement for legacy users. On top of that, LastPass only uses minimum cryptographic protections meant to thwart brute-force attacks, which makes it likely that most of the leaked vaults could be opened much faster than the millions of years claimed by LastPass. Older accounts enjoy even less protection than that.

Palant also isn't happy about LastPass claiming that URLs are not sensitive information. Bad actors can use this information to get a detailed profile of someone's online life, including potential insight into sexual preferences if someone has their dating app password saved. In some countries, protecting these details is a matter of life and death, or at least freedom and imprisonment.

The company experienced another breach using data obtained in the same attack last month. A third-party service was affected at that time. In 2021, some users got another scare when they noticed blocked logins from other locations in the world, though these notices were either sent in error or because users re-used their master passwords on other services.

We strongly recommend that you take the time and switch to a competitor if you haven’t already. Even if you're confident that your LastPass master password is hard to guess, you should also go through all of your accounts and change passwords just to be safe.

We've removed LastPass from our list of recommended password managers, and we would encourage you to take a look at it to find an alternative. In addition to a good master password, best created using diceware, you should also protect your password manager with a two-factor authentication app of your choice.

UPDATE: 2022/12/29 05:34 EST BY MANUEL VONAU

Updated with further insight from security researcher