Sarah Tew / CNET
Password management service LastPass on Thursday disclosed more details about November’s breach, confirming that basic customer info was exposed but not critical data like passwords or credit card details.?
The breach at the end of November resulted from an older one in August, when bad actors broke into one of LastPass’ back-end code bases. They stole company data that was then used recently to break into another LastPass database to capture unencrypted customer data like names, email and billing addresses, phone numbers, and IP addresses. No unencrypted credit card data was exposed.
More sensitive data including usernames and passwords was also stolen, but since that is encrypted by default behind a master password that isn’t stored on LastPass’ servers, it’s very unlikely to be exposed.
Other bad actors could still get access to that sensitive data if users make their master passwords easier to guess, like if it’s used to log in to other sites, or if they fall prey to phishing or social engineering schemes. If they’ve set up their master password according to LastPass’ best practices, which they reiterated in a blog post disclosing the breach, it would take “millions of years” to guess.?
While hacks are only becoming more common, this event showcased two significant points about modern cybercrime. First, an initial breach that doesn’t affect typical users could lead to another that does, and second, that LastPass’ decision to never store user master passwords means stolen company information can’t break into encrypted user data — at least so far as we know.