LastPass today revealed that attackers stole customer vault data after breaching its cloud storage earlier this year using information stolen in an August 2022 incident.

This follows a previous update released last month when the company’s CEO, Karim Toubba, only said the threat actor had access to “some elements” of customer information.

Today, Toubba added that the cloud storage service is used by LastPass to store archived backups of production data.

The attacker gained access to Lastpass cloud storage by using a “cloud storage access key and duplicate storage container decryption keys” stolen from his development environment.

“The threat actor copied information from the backup containing basic customer account information and associated metadata, including company names, end user names, billing addresses, email addresses, email, phone numbers and IP addresses from which customers were accessing the LastPass service,” Toubba said today.

“The threat actor was also able to copy a backup of Client Vault data from the encrypted storage container which is stored in a proprietary binary format containing both unencrypted data, such as site URLs web, as well as fully encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.”

Some of the stolen vault data is “securely encrypted”

Fortunately, encrypted data is secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password.

According to Toubba, the master password is never known to LastPass, it is not stored on Lastpass’s systems, and LastPass does not retain it.

Customers have also been warned that attackers may try to brute force their master passwords to access stolen encrypted vault data.

However, it would be very difficult and time-consuming if you followed password best practices recommended by LastPass.

If you do, “it would take millions of years to guess your master password using generally available password cracking technology,” Toubba added.

“Your sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-filling fields, remains securely encrypted based on the Zero Architecture Knowledge of LastPass.”

Violation twice in one year

The cloud storage breach is the company’s second disclosed security incident so far this year after confirmation in august that his development environment was hacked using a compromised developer account.

Lastpass issued the August notice days after BleepingComputer reached out and received no response to questions about a possible breach.

In emails sent to customers, Lastpass confirmed that the attackers had stolen proprietary technical information and source code from its systems.

In a follow-up update, the company also revealed that the attacker behind the August breach maintained internal access to its systems for four days until his expulsion.

LastPass claims that its password management software is used by more than 33 million people and 100,000 businesses worldwide.