I found more startling information about the recent LastPass breach to follow up on Scott's initial post. The article comes from the security firm, Sophos. It refers to the LastPass announcement just days ago:
The threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.
To which Sophos comments:
Loosely speaking, the crooks now know who you are, where you live, which computers on the internet are yours, and how to contact you electronically.
Yikes!
But that's not the worst part. The announcement also notes:
The threat actor was also able to copy a backup of customer vault data.
The vault is what LastPass uses to refer to the database of stored passwords (as in password vault). Double yikes!
But if you use LastPass, you don't necessarily have to be alarmed. Because the actual login and password information is stored only in an encrypted format using very strong encryption. The master password is never sent to the server in unencrypted format and never stored on their servers. So if you chose a strong master password, it will be very hard for hackers to get at the actual passwords even with the vault. That's also assuming you didn't use this strong master password elsewhere (i.e. on a website that might be hacked). If you also have it set to use 2FA, that's even better. However, the vault apparently uses both encrypted and unencrypted information. The unencrypted information includes the website addresses you visit. But we don't know yet what else it may include.
Sophos has more information and some suggestions on what to do if you're a LastPass customer.
https://nakedsecurity.sophos.com/2022/12/23/lastpass-finally-admits-they-did-steal-your-password-vaults-after-all/?utm_source=pocket_reader
