Reporting by TechCrunch’s Zack Whittaker on December 22, 2022, LastPass says hackers stole customers’ password vaults.
Password manager giant LastPass has confirmed that cybercriminals stole its customers’ encrypted password vaults, which store its customers’ passwords and other secrets, in a data breach earlier this year.
LastPass said customers’ password vaults are encrypted and can only be unlocked with the customers’ master password, which is only known to the customer. But the company warned that the cybercriminals behind the intrusion “may attempt to use brute force to guess your master password and decrypt the copies of vault data they took.”
An exposed or compromised password vault is only as strong as the encryption — and the password — used to scramble it.
The best thing you can do as a LastPass customer is to change your current LastPass master password to a new and unique password (or passphrase) that is written down and kept in a safe place. This means that your current LastPass vault is secured.
If you think that your LastPass password vault could be compromised — such as if your master password is weak or you’ve used it elsewhere — you should begin changing the passwords stored in your LastPass vault. Start with the most critical accounts, such as your email accounts, your cell phone plan account, your bank accounts and your social media accounts, and work your way down the priority list.
The good news is that any account protected with two-factor authentication will make it far more difficult for an attacker to access your accounts without that second factor, such as a phone pop-up or a texted or emailed code. That’s why it’s important to secure those second-factor accounts first, like your email accounts and cell phone plan accounts.
Shit this is fucking bad!