AppleInsider could earn an affiliate fee on purchases made by way of hyperlinks on our website.

On November 30, LastPass notified customers that it was investigating an August “safety incident” resulting in consumer knowledge theft.

Now, the LastPass CEO Karim Toubba has posted a weblog informing customers of the extent of what was stolen.

“So far, we have now decided that when the cloud storage entry key and twin storage container decryption keys had been obtained, the menace actor copied info from backup that contained fundamental buyer account info and associated metadata together with firm names, end-user names, billing addresses, electronic mail addresses, phone numbers, and the IP addresses from which clients had been accessing the LastPass service,” the weblog put up reads.

The hacker additionally created a duplicate of buyer vault knowledge, which the corporate maintains is “saved in a proprietary binary format.” Some vault knowledge, like web site URLs, will not be encrypted. Different knowledge, like usernames and passwords, are “secured with 256-bit AES encryption,” which the corporate maintains can’t be decrypted by hackers.

“[Encrypted data] can solely be decrypted with a novel encryption key derived from every consumer’s grasp password utilizing our Zero Information structure,” Toubba writes. “As a reminder, the grasp password isn’t identified to LastPass and isn’t saved or maintained by LastPass.”

Whereas the corporate claims that it might be extremely unlikely that the hackers may decrypt the info, it warns customers that they could possibly be focused by phishing or social engineering assaults.

LastPass has come underneath fireplace for questionable safety practices prior to now.

In December 2021, LastPass members reported a number of tried logins utilizing appropriate grasp passwords from numerous places. The corporate assured clients that assaults had been a results of passwords leaked in third-party breaches.