Encrypted password manager LastPass has revealed hackers were able to copy a backup of customer vault data in a recent data breach.
LastPass is a freemium password manager that stores encrypted passwords online.
LastPass in a statement said the hacker was able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.
It means that hacker may attempt to use brute force to guess your master password and decrypt the copies of vault data they took.
Hackers may target customers with phishing attacks, credential stuffing, or other brute force attacks against online accounts associated with “your LastPass vault”.
LastPass recommended its users to never reuse master passwords on other websites.
“If you reuse your master password and that password was ever compromised, a threat actor may use dumps of compromised credentials that are already available on the Internet to attempt to access your account,” LastPass said.
Earlier this month, Karim Toubba, CEO of LastPass, admitted its systems were compromised for the second time this year.
LastPass detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo.
The earlier security breach in August this year allowed hackers internal access to the company’s systems for four days until they were detected and evicted.
