Password manager giant LastPass has confirmed that cybercriminals stole its customers’ encrypted password vaults, which store its customers’ passwords and other secrets, in a data breach earlier this year.
In an updated blog post on its disclosure, LastPass CEO Karim Toubba said the intruders took a copy of a backup of customer vault data by using cloud storage keys stolen from a LastPass employee. The cache of customer password vaults is stored in a “proprietary binary format” that contains both unencrypted and encrypted vault data, but technical and security details of this proprietary format weren’t specified. The unencrypted data includes vault-stored web addresses, but LastPass does not say more or in what context. It’s not clear how recent the stolen backups are.