LastPass confirms that security backups were stolen

LastPass confirms that security backups were stolen


25 January 2023

A new update from the CEO of GoTo, the company that owns the LastPass service, regarding the recent attack that brought a wealth of important password manager user data into the hands of hackers. The investigations that have continued since then prove that the attack is much more serious than it initially seemed, as the hackers also gained access to encrypted backups of the users!

The most worrying thing is the fact that they also have the decryption key of these backups in their hands, with the result that users' data is really exposed. These include usernames, passwords and some multi-factor authentication settings (eg 2FA). For now, however, they claim that no credit card or bank details, birth dates, addresses and social security numbers have been leaked.

For its part, GoTo has already reset users' passwords and is inviting them to change and reset their accounts, while transferring existing data to a new management platform that theoretically offers much greater security, stricter control, certifications and more input options.

What we keep is the company's claim that the users' vaults are not at risk, since the master passwords they have set are known only to them and are never stored in a cloud. Of course, over time, hackers could guess correctly, so it would be good to change them again with more complex passwords.

View them all