LastPass notified customers on their blog of a Security Incident. The initial incident was in August 2022, with LastPass expressing confidence that only a development environment had been accessed. An update in September 2022 reiterated that position.
Subsequent updates have detailed loss of backups of encrypted customer vaults, including unencrypted fields and IP addresses. LastPass customer data including company names, end user names, email addresses and telephone numbers were also lost.
This begs the questions:
a) Why does lastPass hold any customer vault data,
b) why are some fields unencrypted,
c) why are IP addresses logged?
What wasn’t lost are the master passwords, which don’t leave the end user device. However, this means the data is only as safe as the strength of that master password. Further analysis of the breach is explored in What’s in a PR statement: LastPass breach explained