https://nakedsecurity.sophos.com/2022/12/23/lastpass-finally-admits-they-did-steal-your-password-vaults-after-all/
LastPass finally admits - those crooks who got in?
They did steal your password vaults, after all
Two-factor authentication (2FA) didn't help in this particular attack.
In its previous breach notifications, the company had carefully spoken
about customer data (which makes most of us think of information such as address, phone number, payment card details, and so on) and encrypted
password vaults as two distinct categories.
This time, however, "customers' information" turns out to include both
customer data, in the sense above, and password databases.
Not literally on the night before Christmas, but perilously close to it, LastPass admitted that:
"The threat actor copied information from backup that contained basic
customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and
the IP addresses from which customers were accessing the LastPass service."
Loosely speaking, the crooks now know who you are, where you live, which computers on the internet are yours, and how to contact you electronically.
The admission continues:
"The threat actor was also able to copy a backup of customer vault data."
So, the crooks did steal those password vaults after all.
What to do?
Back in August 2022, we said this: "If you want to change some or all of
your passwords, we're not going to talk you out of it. [... But] we don't
think you need to change your passwords. (For what it's worth, neither does LastPass.)"
That was based on LastPass's assertions not only that backed-up password
vaults were encrypted with passwords known only to you, but also that those password vaults weren't accessed anyway.
Given the change in LastPass's story based on what it has discovered since then, we now suggest that you change your passwords if you reasonably can.
Note that you need to change the passwords that are stored inside your
vault, as well as the master password for the vault itself.
That's so that even if the crooks do crack your old master password in the future, the stash of password data they will uncover in your old vault will
be stale and therefore useless - like a hidden pirate's chest full of old banknotes that are no longer legal tender.
However, you should change your master password first, before changing any passwords inside the vault, as a way of ensuring that any crooks who may already have figured out your old master password can't view any of the new passwords in your updated vault.
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)