Security News > 2022 > December > LastPass admits attackers have a copy of customers’ password vaults

Password locker LastPass has warned customers that the August 2022 attack on its systems saw unknown parties copy encrypted files that contains the passwords to their accounts.

The update reveals that the attacker also copied "Customer vault" data - the file LastPass uses to let customers record their passwords.

LastPass' advice is that even though attackers have that file, customers who use its default settings have nothing to do as a result of this update as "It would take millions of years to guess your master password using generally-available password-cracking technology."

One of those default settings is not to re-use the master password that is required to log into LastPass.

The outfit suggests you make it a complex credential and use that password for just one thing: accessing LastPass.

So while LastPass is confident that the files copied from its cloud will resist brute force attempts to crack the master password, if that credential is already out there you know how this one ends and it is not pleasant, as a LastPass account can store hundreds of passwords.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/12/23/lastpass_attack_update/