LastPass says hackers has stolen encrypted Vault database backup with user data

Sicherheit (Pexels, allgemeine Nutzung)[German]The next serious security incident that the provider LastPass has to admit. LastPass just announced that a threat actor had stolen a backup copy of its customers' encrypted vault data (Vault Data). The coup was accomplished using cloud storage keys stolen from a LastPass employee in August 2022. Should the attacker be able to crack the encryption, access to the stored user access data would be possible – the absolute GAU.


LastPass is a service for storing passwords and access data for online accounts – whereby this data is stored in a data vault in the cloud. You should avoid this at all costs, as you depend on this service and its security. LastPass had to report a security incident in August, in which the development environment was hacked (see LastPass security incident: Development environment hacked (August 25, 2022)). The attackers had four days to look around the internal IT network (see links at the end of the article). In November 2022, it became known that LastPass customer data could be stolen after a cloud storage service was hacked.

Vault data backup stolen in a hack

In a message dated Dec. 20, 2022, LastPass now admits to the next security incident. In the hack of a cloud storage service (see LastPass customer data accessed after cloud storage service hack (Nov. 2022)), more data than known was probably siphoned. LastPass writes that its investigation to date has revealed that an unknown threat actor accessed a cloud-based storage environment. Information from the August 2022 incident was used for this purpose (LastPass security incident: Development environment hacked (August 25, 2022)).

During the August 2022 incident, customer data was not accessed, but some source code and technical information was stolen from the LastPass development environment. This information was used to attack another employee and obtain credentials and keys used to access and decrypt some storage volumes within the cloud-based storage service.

While the LastPass production services are currently run from local data centers, cloud-based storage is used for a variety of purposes, such as backup storage and regional data residency requirements. The cloud storage service that the threat actor was able to access is physically separate from the LastPass production environment.

However, the evaluation to date revealed that the threat actor obtained the access key for the cloud storage and the decryption keys for the two storage containers. As a result, he was able to copy information from the backup. This gave him access to basic customer account information and associated metadata. This includes company names, end user names, billing addresses, email addresses, phone numbers, and the IP addresses from which customers accessed the LastPass service.


The threat actor was also able to copy a backup copy of the customer vault data from the encrypted storage container. The backup copy, while stored in a proprietary binary format, contains both unencrypted data such as website URLs and fully encrypted sensitive fields such as website usernames and passwords, secure notes, and data entered into forms.

These encrypted fields are secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user's master password using the LastPass Zero Knowledge architecture.

As a reminder, the master password is never known to LastPass and is neither stored nor managed by LastPass. Encryption and decryption of data is performed only on the local LastPass client. More information about our Zero Knowledge architecture and encryption algorithms is available here.

There is no evidence that unencrypted credit card data was accessed, the company writes, because LastPass does not store full credit card numbers and credit card information is not archived in this cloud storage environment.

However, the threat actor could attempt to guess the master password chosen by users with brute force attacks and subsequently decrypt the copies of the stolen vault data. Because of the hashing and encryption methods LastPass uses to protect itself, it would be extremely difficult to brute force attack master passwords of customers who follow LastPass password best practices. All in all, this is a debacle for LastPass.

Similar articles
LastPass security incident: Development environment hacked (August 25, 2022)
LastPass confirmed: Attackers had access to internal systems for four days
LastPass customer data accessed after cloud storage service hack (Nov. 2022)

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *