---
title: "The Password Manager Giant LastPass Says Hackers Stole Customer Vault Data in a Cloud Storage Breach | Phish Protection"
description: "If you have a LastPass account, which you use to store login information and passwords, or you previously had one that you did not delete."
image: "https://phishprotection.com/og/blog/password-manager-giant-lastpass-hackers-stole-customer-vault-data-cloud-storage-breach.png"
canonical: "https://phishprotection.com/blog/password-manager-giant-lastpass-hackers-stole-customer-vault-data-cloud-storage-breach/"
---

Quick Answer

If you have a LastPass account, which you use to store login information and passwords, or you previously had one that you did not delete, your \*\*password vault\*\* might be in hackers' hands. Read on to learn more about the story.

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fphishprotection.com%2Fblog%2Fpassword-manager-giant-lastpass-hackers-stole-customer-vault-data-cloud-storage-breach%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=The%20Password%20Manager%20Giant%20LastPass%20Says%20Hackers%20Stole%20Customer%20Vault%20Data%20in%20a%20Cloud%20Storage%20Breach&url=https%3A%2F%2Fphishprotection.com%2Fblog%2Fpassword-manager-giant-lastpass-hackers-stole-customer-vault-data-cloud-storage-breach%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fphishprotection.com%2Fblog%2Fpassword-manager-giant-lastpass-hackers-stole-customer-vault-data-cloud-storage-breach%2F "Share on Facebook") [ ](https://reddit.com/submit?url=https%3A%2F%2Fphishprotection.com%2Fblog%2Fpassword-manager-giant-lastpass-hackers-stole-customer-vault-data-cloud-storage-breach%2F&title=The%20Password%20Manager%20Giant%20LastPass%20Says%20Hackers%20Stole%20Customer%20Vault%20Data%20in%20a%20Cloud%20Storage%20Breach "Share on Reddit") [ ](mailto:?subject=The%20Password%20Manager%20Giant%20LastPass%20Says%20Hackers%20Stole%20Customer%20Vault%20Data%20in%20a%20Cloud%20Storage%20Breach&body=Check out this article: https%3A%2F%2Fphishprotection.com%2Fblog%2Fpassword-manager-giant-lastpass-hackers-stole-customer-vault-data-cloud-storage-breach%2F "Share via Email") 

![Phish Protection blog post image](https://media.mailhop.org/phishprotection/images/2023/01/protection-from-phishing-1230.jpg) 

If you have a LastPass account, which you use to store login information and passwords, or you previously had one that you did not delete, your **password vault** might be in hackers’ hands. Read on to learn more about the story.

LastPass recently revealed that cybercriminals **stole customer vault data** after gaining unauthorized access to its [cloud storage](https://en.wikipedia.org/wiki/Cloud%5Fstorage) earlier this year through stolen information during an August 2022 incident.

The story followed a previous update when **Karim Toubba**, the company’s CEO, announced that the threat actors accessed “certain elements” of the customer information. _Toubba recently added that LastPass used the cloud service to store production data’s archived backups._

### How the Attack Took Place

_The attackers stole the “dual storage container decryption keys and cloud storage access key” from its [developer environment](https://umbraco.com/knowledge-base/development-environment/) and gained access to Lastpass’ cloud storage._

> 

“The hackers copied information from the backup containing basic customer account information. Then, they linked **metadata** including end-user names, company names, billing addresses, telephone numbers, email addresses, and the IP addresses the customers used for accessing the LastPass service,” Toubba said.

The attackers also copied a customer vault **data backup** from the [encrypted storage container](https://infosec.ed.ac.uk/how-to-protect/encrypting/encrypted-containers#:~:text=What%20is%20an%20encrypted%20container,it%20to%20an%20email%20message.). Lastpass stored it in a **proprietary binary format** containing unencrypted data (such as website URLs) and fully encrypted sensitive fields (like website usernames and passwords, form-filled data, and secure notes).

### Some of the Stolen Data is “Safely Encrypted”

Fortunately, the company says that they secured the encrypted data with [256-bit AES encryption](https://www.techopedia.com/definition/29703/256-bit-encryption) and one needs a **unique encryption key** linked to each user’s master password to decrypt it. According to Toubba, LastPass does not store the master password on its systems or maintain it. Hence the user’s **master password is unknown to LastPass**.

![Protection from phishing](https://media.mailhop.org/phishprotection/images/2023/01/protection-from-phishing-1230.jpg) 

The password manager giant warned the customers that [cybercriminals](/blog/cybercriminals-are-duping-millions-of-accounts-in-the-latest-facebook-phishing-campaign/) would try to brute-force the master passwords to gain access to the encrypted vault data. However, if the customers follow the LastPass recommended **password best practices**, the **brute-forcing attempts** will become time-consuming and challenging for the attackers.

> 

If you follow the password best practices, “it will take millions of years for attackers to guess your master password using the common **password-cracking technology**,” Toubba added. “Furthermore, your sensitive vault data, like usernames and passwords, secure notes, form-fill fields, and attachments, remain **safely encrypted** through LastPass’ [Zero Knowledge architecture](https://www.linkedin.com/pulse/zero-knowledge-architecture-change-everything-we-know-bradley-arlen).”

### Users’ Safety is in their Hands

_It is worth noting that the brute-force attacks’ success in predicting the master password is inversely proportional to their strength._ It means that the easier it is to **guess the master password**, the hackers need fewer attempts to crack it. “If you reuse the master password and it was compromised, a [threat actor](https://www.cybersecuritydive.com/news/threat-actors-microsoft-bypass-security/638698/) will use numerous compromised credentials that are **readily available** on the internet to attempt unauthorized access to your account,” LastPass cautioned.

The fact that website URLs were in **plaintext** signifies that a successful master password **decryption** could give the attackers a sense of all the websites a user holds accounts with, enabling them to mount more credential theft or [phishing attacks](/resources/7-most-common-phishing-attacks-and-learning-to-protect-against-them/).

### LastPass: Taking Immediate Steps to Control the Breach

LastPass **warned** its customers that threat actors could use the data for phishing attacks or [credential stuffing](https://en.wikipedia.org/wiki/Credential%5Fstuffing) (using the stolen data to try logging into other unrelated services). _LastPass informed its customers that it never calls, texts, or emails its customers asking them to click on a link to verify personal data._

The company notified regulatory and law enforcement authorities about the incident, “**taking extreme cautionary measures**.” It also added **new security measures** for detecting any future unauthorized activity.

### How to Protect Against Such Brute Force Attacks

Attackers plan a brute force attack using **trial-and-error** to guess login info and encryption keys or locate a hidden web page. They work through every possible combination, hoping to **guess passwords correctly**. Such attacks are planned by ‘[brute force](https://www.fortinet.com/resources/cyberglossary/brute-force-attack),’ meaning they utilize numerous forceful attempts to try and force their way into the private account(s).

Although an old attack method, it is still popular with [hackers](/blog/hackers-show-once-again-they-care-about-more-than-just-money/) and **effective**. Since it depends on the password’s length and complexity , cracking it can take a few seconds or many years. Thus, time is a crucial factor that attackers take to crack your password.

Hence, your goal must be to ensure your password slows down the brute-force attempts because _if it takes longer, most cybercriminals will give up the effort and move on._ Here are a few ways users can **strengthen** their passwords against brute attacks:

- **_Longer passwords with various characters:_**When possible, users must choose a **10-character password** that must include symbols or numerals. It will create 1.71 x 1020 (171.3 quintillions) possibilities. If an attacker uses a [GPU](https://www.extremetech.com/extreme/316266-the-nvidia-rtx-3090-gpu-can-probably-crack-your-passwords) that attempts 10.3 billion hashes per second , it will take approximately 526 years to crack the password.

Although, a supercomputer will crack the password within a few weeks.

By this logic, more characters in your password make it even harder to solve. Changing passwords often and avoiding the most common passwords is also crucial.

- **_Use unique passwords for different websites:_** You can avoid becoming a credential-stuffing victim by **never reusing a password**. If you wish to upgrade your account security, choose different usernames for every website. Thus, you will get [phishing protection](/) for other accounts from getting compromised even if they get [breached](/blog/healthcare-industry-continues-impacted-data-breaches-latest-report/).
- **_Use Multi-Factor- Authentication:_**The good news is that accounts protected with **multi-factor authentication** will make it difficult for cybercriminals to access your accounts without the second factor (like a **phone pop-up** or an emailed or texted code). Thus, it becomes essential to secure the second-factor accounts first, like your cell phone plan or email accounts.
![Anti phishing software](https://media.mailhop.org/phishprotection/images/2023/01/anti-phishing-software-1227.jpg) 

### Two Breaches in a Single Year

The recent cloud storage breach is the **second incident** that LastPass disclosed since the start of the year. It comes after the company confirmed in August that attackers breached its developer environment using a compromised **developer account**.

Lastpass published information regarding the August advisory after BleepingComputer reached out to them and received no response to queries regarding a possible breach.

LastPass sent emails to the customers confirming that the cybercriminals stole \*\*proprietary source code and technical information \*\*from its systems. In another update, LastPass also revealed that the cybercriminals behind the August breach maintained [unauthorized access](https://techwireasia.com/2022/07/unauthorized-access-the-biggest-cause-of-data-breaches/) to its systems for four days. LastPass mentions that over 100,000 businesses and 33 million people worldwide use its password management **software**.

### Final Words

Password managers are gaining popularity as a good thing to use if you want to store your passwords, which should be long, **unique**, and **complex** for each website or service. But such security incidents remind us that all [password managers](https://www.bleepingcomputer.com/news/security/passwordstate-password-manager-hacked-in-supply-chain-attack/) are not created equal and can get compromised or attacked differently. Since everyone’s threat model is **different**, one person will not have the exact requirements as another.

_The best thing a LastPass customer can do is change their current LastPass master password to a unique and new password (or passphrase) that they write down and keep in a safe place._ It means that their existing LastPass vault is **secure**.

## Topics

[ Cybersecurity ](/tags/cybersecurity/)[ Phishing ](/tags/phishing/)[ Phishing Awareness ](/tags/phishing-awareness/) 

![Brad Slavin](https://media.mailhop.org/phishprotection/images/authors/brad-slavin.jpg) 

[ Brad Slavin ](/authors/brad-slavin/) 

General Manager

Founder and General Manager of DuoCircle. Product strategy and commercial lead across DuoCircle's 2,000+ customer base.

[LinkedIn Profile →](https://www.linkedin.com/in/bradslavin) 

## Protect your inbox from phishing attacks

Real-time email security with 60-day free trial. No credit card required.

[Start Free Trial](https://portal.duocircle.com/cart.php?a=add&pid=101&brand=phishprotection) [View Pricing](/pricing/) 

## Related Articles

[  Intermediate 5m  American Airlines Suffers Employee Email Data Breach, Personal Information at Risk  Oct 4, 2022 ](/blog/american-airlines-suffers-employee-email-data-breach-personal-information-risk/)[  Intermediate 5m  BitRAT Malware Threat Actors Leveraging Stolen Columbian Cooperative Bank Data in Phishing Campaign  Jan 18, 2023 ](/blog/bitrat-malware-threat-actors-leveraging-stolen-columbian-cooperative-bank-data-in-phishing-campaign/)[  Intermediate 5m  Find Out About the Latest Case of Threat Actors Utilizing Phishing-as-a-Service to Steal $120,000  Feb 20, 2023 ](/blog/find-out-about-the-latest-case-of-threat-actors-utilizing-phishing-as-a-service-to-steal-120000/)[  Intermediate 5m  GoDaddy Customers Beware: Hackers Have Been Stealing Source Code for Years  Mar 6, 2023 ](/blog/godaddy-customers-beware-hackers-have-been-stealing-source-code-for-years/)

```json
{"@context":"https://schema.org","@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://github.com/duocircle"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://phishprotection.com/contact/"},"knowsAbout":["Phishing Protection","Email Security","Anti-Phishing","Business Email Compromise","Ransomware Protection","Time of Click Protection","Office 365 Email Security","Advanced Threat Defense"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"Phish Protection","url":"https://phishprotection.com","description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","publisher":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}}
```

```json
{"@context":"https://schema.org","@type":"BlogPosting","headline":"The Password Manager Giant LastPass Says Hackers Stole Customer Vault Data in a Cloud Storage Breach","description":"If you have a LastPass account, which you use to store login information and passwords, or you previously had one that you did not delete.","url":"https://phishprotection.com/blog/password-manager-giant-lastpass-hackers-stole-customer-vault-data-cloud-storage-breach/","datePublished":"2023-01-04T10:40:58.000Z","dateModified":"2026-04-17T15:43:10.000Z","dateCreated":"2023-01-04T10:40:58.000Z","author":{"@type":"Person","@id":"https://phishprotection.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://phishprotection.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. He founded DuoCircle in 2014 and has led the company's growth to 2,000+ customers across its email security product family. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/phishprotection/images/authors/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://github.com/duocircle"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://phishprotection.com/contact/"},"knowsAbout":["Phishing Protection","Email Security","Anti-Phishing","Business Email Compromise","Ransomware Protection","Time of Click Protection","Office 365 Email Security","Advanced Threat Defense"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://phishprotection.com/blog/password-manager-giant-lastpass-hackers-stole-customer-vault-data-cloud-storage-breach/"},"articleSection":"intermediate","keywords":"Cybersecurity, Phishing, Phishing Awareness","wordCount":1193,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/phishprotection/images/2023/01/protection-from-phishing-1230.jpg","caption":"Phish Protection blog post image","width":1200,"height":630},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://phishprotection.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://phishprotection.com/blog/"},{"@type":"ListItem","position":3,"name":"Intermediate","item":"https://phishprotection.com/intermediate/"},{"@type":"ListItem","position":4,"name":"The Password Manager Giant LastPass Says Hackers Stole Customer Vault Data in a Cloud Storage Breach","item":"https://phishprotection.com/blog/password-manager-giant-lastpass-hackers-stole-customer-vault-data-cloud-storage-breach/"}]}
```