LastPass hack was even worse than originally reported – should you delete your account?

The LastPass logo in a stylized web browser under a magnifying glass.
(Image credit: II.studio/Shutterstock)

After informing customers that its password manager had suffered a security breach back in August, LastPass has now revealed that the attackers behind the incident also managed to steal users’ vault data.

In his initial security incident notice (opens in new tab), LastPass CEO Karim Touba said that “we have seen no evidence that this incident involved any access to customer data or encrypted password vaults.” However, we’re now learning that the cloud storage service used by the company to store archived backups of production data was also breached by the attackers responsible.

From here, the attacker used stolen source code and technical information from LastPass’ development environment to target one of its employees. After obtaining the employee’s credentials and keys, the attacker then used them to access and decrypt storage volumes stored within the company’s cloud storage.

Touba also explained in his latest security incident notice that the attacker “was able to copy a backup of customer vault data from the encrypted storage container.” Although this vault data is “stored in a proprietary binary format,” it also contains unencrypted data like website URLs as well as “fully-encrypted sensitive fields” like website usernames and passwords, secure notes and form-filled data.

Stolen vault data is safe for now

Best antivirus software

(Image credit: Shutterstock)

Fortunately, the encrypted fields in this stolen data are secured with 256-bit AES encryption and “can only be decrypted with a unique encryption key derived from each user’s master password” according to Touba.

It’s also worth noting that LastPass doesn’t know its customers’ master passwords, nor is this information stored or maintained by the company.

While it appears that the passwords and other sensitive data stored by LastPass customers in their vaults is safe for now, Touba did warn that the attacker may try to brute force their master passwords in an attempt to decrypt their stolen vault data. However, due to the hashing and encryption methods used by the company, this “would be extremely difficult to attempt” – especially for customers who follow its best password practices (opens in new tab).

At the same time, the attacker may try to target LastPass customers through phishing attacks, credential stuffing or other brute force attacks against the online accounts stored in their vaults. Touba also points out in his security incident notice that the company will never call, email or text customers or ask them to click on a link to verify their personal information in an effort to keep them safe from potential social engineering or phishing attacks. LastPass will also never ask you to provide your master password.

Should you delete your LastPass account?

As reported by BleepingComputer (opens in new tab), LastPass’ cloud storage breach is the second security incident disclosed by the company this year after it confirmed back in August that an attacker was able to breach its developer environment using a compromised employee account.

If this is a bit unsettling as a LastPass customer, you may be thinking about deleting your account. While LastPass has been one of the best password managers for years now, these recent security incidents show how valuable hacking a company like this can be for an attacker (this is how to delete your LastPass account if you're so inclined).

If you don’t plan on deleting your LastPass account, you should at least pick a new master password, especially if your original one wasn’t complex or unique enough. To do so, you can use a password generator to create an even stronger one.

Other password managers worth considering

Holographic login above laptop keyboard

(Image credit: Song_about_summer / Shutterstock)

For those who feel they can no longer trust LastPass, there are plenty of great alternatives out there including 1Password, Dashlane and Keeper.

1Password costs the same as LastPass per month, Dashlane has an excellent desktop interface and with Keeper, Tom’s Guide readers can get an annual subscription for just $21 thanks to this promotion (opens in new tab).

If you’re looking to save some cash, Bitwarden has a totally unlimited free version. While we normally recommend you don’t store your passwords in your browser, Chrome Password Manager is a great free option to hold you over until you make your final decision. 

Anthony Spadafora
Senior Editor Security and Networking

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.