The data acquired by the threat actors during the two instances was revealed in a support document (PDF) supplied by the firm (via BleepingComputer). The cloud-based backups apparently contained “API secrets, third-party integration secrets, customer metadata, and backups of all customer vault data” during the second incident. Except for a few exceptions, the business stated that all sensitive client vault data “can only be decrypted using a unique encryption key obtained from each user’s master password.” The corporation also said that it does not keep users’ master passwords on file. LastPass also revealed the actions it is taking to boost its defences in the future, including as upgrading its threat detection and making a “multi-million-dollar allocation to increase [its] investment in security across people, processes, and technology.”
