LastPass Confirms Encrypted Vault Backups Stolen in Second Breach

Password manager LastPass confirmed today that the attacker behind an August intrusion against its developer environment returned in November and successfully stole a backup of customer vaults from a cloud storage location.

In an updated incident notice published by CEO Karim Toubba, the company acknowledged that the stolen archive contains both encrypted and unencrypted customer data. Vault items including passwords, secure notes, and form-fill information remain encrypted under each customer's master password using AES-256. However, URLs, billing addresses, IP addresses, telephone numbers, and email addresses were stored unencrypted.

"The threat actor may attempt to use brute force to guess your master password and decrypt copies of vault data they took," LastPass wrote. The company recommended customers consider rotating high-value credentials, particularly those whose master passwords were short, reused, or based on dictionary words.

Security researchers reacted sharply. Wladimir Palant, a former Adblock Plus author who has written extensively about LastPass's security posture, criticized the company's incremental disclosures as misleading and the cryptographic guarantees as weaker than implied by marketing.

"For users with strong, unique master passwords iterated above the default PBKDF2 work factor, the encrypted vaults are likely unbreakable," wrote security researcher Jeremi Gosney. "For everyone else, this is a generational disaster: an offline attacker with unlimited time can grind master passwords at GPU speeds."