LastPass Says November Breach Exposed Basic Personal Data

A new breach using information obtained in a previous hack exposed user names, email addresses and more.

David Lumb Mobile Reporter
David Lumb is a mobile reporter covering how on-the-go gadgets like phones, tablets and smartwatches change our lives. Over the last decade, he's reviewed phones for TechRadar as well as covered tech, gaming, and culture for Engadget, Popular Mechanics, NBC Asian America, Increment, Fast Company and others. As a true Californian, he lives for coffee, beaches and burritos.
Expertise Smartphones | Smartwatches | Tablets | Telecom industry | Mobile semiconductors | Mobile gaming
David Lumb
2 min read
A phone with the LastPass logo on the screen.
Sarah Tew / CNET

Password management service LastPass on Thursday disclosed more details about November's breach, confirming that basic customer info was exposed but not critical data like passwords or credit card details. 

The breach at the end of November resulted from an older one in August, when bad actors broke into one of LastPass' back-end code bases. They stole company data that was then used recently to break into another LastPass database to capture unencrypted customer data like names, email and billing addresses, phone numbers, and IP addresses. No unencrypted credit card data was exposed.

More sensitive data including usernames and passwords was also stolen, but since that is encrypted by default behind a master password that isn't stored on LastPass' servers, it's very unlikely to be exposed.

Other bad actors could still get access to that sensitive data if users make their master passwords easier to guess, like if it's used to log in to other sites, or if they fall prey to phishing or social engineering schemes. If they've set up their master password according to LastPass' best practices, which they reiterated in a blog post disclosing the breach, it would take "millions of years" to guess. 

While hacks are only becoming more common, this event showcased two significant points about modern cybercrime. First, an initial breach that doesn't affect typical users could lead to another that does, and second, that LastPass' decision to never store user master passwords means stolen company information can't break into encrypted user data -- at least so far as we know.