Security News > 2022 > December > LastPass finally admits: Those crooks who got in? They did steal your password vaults, after all…
We have seen no evidence that this incident involved any access to customer data or encrypted password vaults.
Although the threat actor was able to access the Development environment, our system design and controls prevented the threat actor from accessing any customer data or encrypted password vaults.
In its previous breach notifications, the company had carefully spoken about customer data and encrypted password vaults as two distinct categories.
According to LastPass, the secret data it backs up for you never exists in unencrypted form on LastPass's own servers, and LastPass never stores or sees your master password.
Says LastPass, your backed-up password data is always uploaded, stored, accessed and downloaded in encrypted form, so that the crooks still need to crack your master password, even though they now have your scrambled password data.
That was based on LastPass's assertions not only that backed-up password vaults were encrypted with passwords known only to you, but also that those password vaults weren't accessed anyway.