LastPass discovered in August that its software’s source code and technical information had been stolen. The theft allegedly took place at an external storage service used by the company.
LastPass initially reported that no customer data or passwords were captured in the attack. Last month it emerged that the hackers had stolen usernames, addresses, email addresses, phone numbers and IP addresses. It now appears that the hackers also gained access to the password vaults via a diversion.
According to LastPass, affected users need not worry about passwords being stolen. These are encrypted and, according to the company, can only be decrypted with a so-called master password. This doesn’t store LastPass, but users own it.
The password manager recognizes that hackers could crack passwords via a so-called brute force-attack. A hacker then uses software that tries different combinations of login names and passwords.
But according to LastPass, cracking a file master password determined according to password manager guidelines and consists of twelve characters lasts millions of years. People who have a shorter password or use it elsewhere are advised to change it.
It is unclear how many users are affected. Users who haven’t received an email needn’t worry, according to the password manager.
