Although the data was encrypted, LastPass recommends that users change their short and re-used passwords. There was no evidence that any credit card information was accessed during the breach.

LastPass previously announced that an unauthorized party gained access to a third-party cloud-based storage service that the company uses to store archived backups of production data. The attacker was able to copy information from the backup, which contained basic customer account information and related metadata such as company names, end-user names, billing addresses, email addresses, telephone numbers, and IP addresses.

In addition, the threat actor was able to copy a backup of customer vault data from the encrypted storage container. This data is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.

It's important to note that these encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user's master password using LastPass's Zero Knowledge architecture. The master password is never known to LastPass and is not stored or maintained by the company.

There is no evidence that any unencrypted credit card data was accessed during the breach. If you use a unique master password with at least 12 characters, it would take millions of years to guess your master password using generally-available password-cracking technology. Your sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass's Zero Knowledge architecture.

According to LastPass, there are no recommended actions that you need to take at this time if your passwords contain more than 12 characters and are unique. However, it's always a good idea to change your passwords regularly, and this is a good moment to do so. If you are wondering: "should I move to another password manager than LastPass?" Our answer is: yes, we do recommend moving to a different password manager.

Sources