LastPass, a password management software used by over 33 million people and 100,000 businesses worldwide, has revealed that customer vault data was stolen after the company’s cloud storage was breached earlier this year.

What happened?

The attacker gained access to the cloud storage using stolen “cloud storage access key and dual storage container decryption keys” and copied basic customer information, as well as customer vault data, which is stored in a proprietary binary format containing both unencrypted and encrypted data.

The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.


The encrypted data can only be decrypted with a unique key derived from each user’s master password, which LastPass does not store or maintain.

These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass. The encryption and decryption of data is performed only on the local LastPass client.

What is the real risk?

According to official press release,

The threat actor may attempt to use brute force to guess your master password and decrypt the copies of vault data they took. Because of the hashing and encryption methods we use to protect our customers, it would be extremely difficult to attempt to brute force guess master passwords for those customers who follow our password best practices. We routinely test the latest password cracking technologies against our algorithms to keep pace with and improve upon our cryptographic controls. The threat actor may also target customers with phishing attacks, credential stuffing, or other brute force attacks against online accounts associated with your LastPass vault.

This is the second security incident disclosed by LastPass this year, following a breach in August in which the company’s developer environment was accessed using a compromised developer account and proprietary technical information and source code were stolen.