Hackers that targeted LastPass in August now have access to encrypted copies of users’ password vault data.
Master passwords were not compromised, according to the company’s December 22nd blog post update.
User data was not compromised in the August breach, and hackers could only access source code and other technical information. However, hackers used this information to target an employee, gaining their credentials to access information.
The hackers accessed “basic customer account information” like company names, phone numbers, and email addresses, in addition to backup copies of users’ password vaults.
While master passwords protect this information, hackers might use brute force to access the passwords. But “it would take millions of years to guess” as long as users followed the company’s best practices guidelines for constructing passwords.
LastPass is warning users to be vigilant of phishing attacks where hackers will try to get access to information associated with master passwords.
“It is important to know that LastPass will never call, email, or text you and ask you to click on a link to verify your personal information. Other than when signing into your vault from a LastPass client, LastPass will never ask you for your master password.”