



(Note, I am not certain at this time how shared vaults are affected by this compromise, but assuming the worst.) Imagine how many passwords the average user has in a password manager, including not only their own accounts, but credentials and secrets shared between teams. What makes that even scarier is that opening even one vault could be detrimental to the organization it belongs to. The largest risk to these vaults now is that an attacker has unlimited amounts of time to run offline brute force attacks against these vaults in hopes to crack open one more of them. So how does one really know the risks of their vault now floating around in dark corners of the internet? Unfortunately, that's a tough determination for the average user to make and unfortunately, best practices are not common behavior among the less technical of your user base. What this is saying is that the vaults are safe, so long as your master password follows their best practices, is not easily guessed, crackable, reused elsewhere, etc. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass. These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture. The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.īut wait, surely LastPass factored this into their threat model and these vaults are useless in the hands of the attacker? This is the first LastPass breach notification that clearly states that customer vaults have been stolen. So I get it, another breach - what makes this one different? That said, we were already mid-migration away from LastPass prior to this latest incident, but our decision is only further solidified by recent events. Rather than recap the details of the breaches, this post will focus strictly on "how does this affect me/my organization" and "is LastPass still safe to use?"ĭisclaimer - Recon is (as of this post) a LastPass customer. The latest incident appears to be a follow-up to the previous intrusion from back in August. As you have no doubt heard, LastPass has suffered yet another breach which makes at least 3 separate incidents this year alone.
