The world’s largest password manager, LastPass, has confirmed that in a data breach earlier this year, cybercriminals stole its customers’ encrypted password vaults, which store their passwords and other secrets.
The intruders used cloud storage keys stolen from a LastPass employee to access a backup of customer vault data, according to LastPass CEO Karim Toubba in an updated blog post on the company’s disclosure. The technical and security specifics of this proprietary format were not provided, but it is believed that the cache of customer password vaults is kept in a “proprietary binary format” and contains both encrypted and unencrypted vault data. Web addresses that are stored in a vault are among the unencrypted data, but LastPass does not specify further information or context. It’s unclear how recent the backups that were stolen are.