LastPass has a doozy of one updated announcement on a recent data breach: The company – which promises to keep all your passwords in one safe place – now says hackers were able to “copy a backup copy of customer vault data”, which means they can now, in theory, access all those passwords if they the stolen safes can crack (through TechCrunch).

If you have an account that you use to store passwords and credentials on LastPass, or if you used to have one and didn’t delete it before this fall, your password vault may be in the hands of hackers. Still, the company claims you might be safe if you have a strong master password and the latest default settings. However, if you have a weak master password or less security, the company says that “an additional security measure should be considered to minimize risk by changing the passwords of websites you have saved.”

That may mean changing the passwords for every website you trusted LastPass to save.

While LastPass insists that passwords are still protected by the account’s master password, it’s hard to take its word for it at this point given how it’s handled these revelations.

When the company announced the break-in in August, it said it did not believe user data had been accessed. Then, in November, LastPass said it had detected an intrusion, apparently relying on information stolen during the August incident (it would have been nice to hear about that possibility sometime between August and November). That intrusion gave someone “access to certain elements” of customer information. It turns out those “certain elements”, you know, were the most important and secret things that LastPass stores. The company says there is “no evidence that unencrypted credit card information was accessed,” but that would probably have been better than what the hackers got away with. At least it’s easy to cancel a card or two.

We’ll see how this all plays out later, but here’s what Karim Toubba, CEO of LastPass, has to say about the vaults being taken:

The threat actor was also able to copy backed up client vault data from the encrypted storage container stored in a proprietary binary format containing both unencrypted data, such as website URLs, and fully encrypted sensitive fields such as website usernames and passwords, secure notes, and filled form data.

Toubba says the only way an attacker would be able to get to that encrypted data, and therefore your passwords, would be with your master password. LastPass says it never had access to master passwords.

That’s why he says, “It would be extremely difficult to try and brute force guess master passwords,” as long as you had a really good master password that you never used again (and as long as there wasn’t a technical error getting in the way). LastPass encrypted the data – although the company made some rather simple security flaws). But whoever has this data can try to unlock it by guessing random passwords, aka brute force.

LastPass says to use the recommended default settings should protects you from those kinds of attacks, but it doesn’t mention any feature that would prevent someone from repeatedly trying to unlock a vault for days, months or years. It’s also possible that people’s master passwords can be accessed in other ways. If someone reuses their master password for other logins, it may have been leaked during other data breaches.

It’s also worth noting that if you have an older account (before a newer default setting introduced after 2018), a weaker password-strengthening process may have been used to protect your master password. According to LastPass, it currently uses “a stronger-than-typical implementation of 100,100 iterations of the password-based key derivation function,” but when a Forget employee checked their older account using a link the company mentions in its blog that their account was set to 5,000 iterations.

Perhaps most concerning is the unencrypted data – since it contains URLs, it can give hackers an idea of ​​what websites you have accounts with. If they decide to target certain users, that could be powerful information combined with phishing or other types of attacks.

While none of that is great news, it’s all something that could, in theory, happen to any company that stores secrets in the cloud. When it comes to cybersecurity, the name of the game isn’t a 100 percent perfect track record; it’s how you respond to disasters when they happen.

And this is where LastPass absolutely failed in my opinion.

Remember, it’s making this announcement today, December 22 – three days before Christmas, a time when many IT departments will be largely on vacation and when people are unlikely to pay attention to updates to their password manager.

(In addition, the announcement only addresses the part about the vaults being copied five paragraphs. And while some of the information is in bold, I think it’s fair to expect such an important announcement to be right at the top.)

LastPass says the vault backup was initially not compromised in August; instead, the story is that the threat actor used information from that breach to attack an employee who was accessing a third-party cloud storage service. The vaults were stored in and copied from one of the volumes accessed in that cloud storage, along with backups containing “basic customer account information and related metadata”. That includes things like “company names, end user names, billing addresses, email addresses, phone numbers, and the IP addresses from which customers accessed the LastPass service,” according to LastPass.

Toubba says the company is taking all sorts of precautions as a result of the initial breach and the secondary breach that exposed the backups, including adding more logging to detect suspicious activity in the future, rebuilding the development environment, rotating login details and more.

That’s all good, and it should do those things. But if I were a LastPass user, I’d seriously consider leaving the company right now, because we’re looking at one of two scenarios here: either the company didn’t know that backups with users’ vaults were on the cloud storage service when it announced that it had detected unusual activity there on November 30, whether it did know and chose not to tell customers about the possibility that hackers had gained access to them. Neither looks good.