After getting hacked in August, LastPass promised that customer data was safe. Later, the company admitted that customer data was compromised, but claimed that user passwords were not part of the data breach. Unfortunately, LastPass was completely and totally wrong.
According to a new LastPass press release, hackers obtained a “backup of customer vault data” during the big security breach earlier this year. The information stored in this vault data is encrypted, but a hacker can decrypt it using your master password—that’s the password you use to log into LastPass.
If your LastPass master password is something simple, like “password1234” or “guitarhero1984,” you’re probably screwed. Hackers can easily guess these simple passwords using brute force. For security’s sake, please change your password on every website immediately. (A rival password manager that hasn’t been hacked, such as 1Password, can help you get the job done.)
Users who created a strong master password might be in the clear. At least, that’s what LastPass says. The company claims that it would be “extremely difficult” to guess master passwords for customers who followed the company’s “best practices” guidelines.
“The threat actor may attempt to use brute force to guess your master password and decrypt the copies of vault data they took. Because of the hashing and encryption methods we use to protect our customers, it would be extremely difficult to attempt to brute force guess master passwords for those customers who follow our password best practices.“
Even if you use a strong master password, there’s a chance that hackers will try to phish some information out of you. LastPass warns that it “will never call, email, or text you and ask you to click on a link to verify your personal information.”
To be clear, LastPass is still investigating this data breach. And after four months of “sorry, it’s worse than we thought,” customers are rightfully worried that LastPass doesn’t have all the details. For all we know, things could get even worse.
We asked our readers to stop using LastPass in July of 2020. And we still implore you to avoid this service. LastPass has a long record of data breaches, two of which occurred this year!