LastPass, a popular password manager, admitted that criminals stole clients’ encrypted password vaults during an incident earlier this year.

If hackers can crack the encryption on the vaults where users save their passwords, they will get access to all of the sensitive information stored inside.

CEO Karim Toubba revealed the news in a blog post on the LastPass website, saying that the hackers got into user vaults by using cloud storage credentials stolen from a LastPass worker. The stolen material includes both encrypted intelligence (password vaults) and non-encrypted data (website addresses, names, email addresses, phone numbers, and in some instances, billing information) kept in the vaults.

Password-protected master file

The good news is that “proprietary binary format” used to store the password vaults makes it very difficult, if not impossible, to decipher the data contained therein. However, in order to do so, attackers would require the customer’s master password, which, fortunately, only the user knows. LastPass insists that it is unaware of this fact.

Toubba said that the system’s Zero Knowledge design ensures that “these encrypted fields stay safe with 256-bit AES encryption and can only be decoded using a unique encryption key produced from each user’s master password.” Recall that “the master password is never known to LastPass and is never saved or maintained by LastPass.”

However, the business cautioned that customers may run into trouble if they used master passwords that were too simple and easily cracked by attackers.

The best course of action for people who are concerned that their master password may be compromised is to immediately change it to something more secure. The only method to ensure the security of the information stored in your vault is to change the passwords whenever there is any suspicion that they may have been hacked (aside from setting up multi-factor authentication whenever possible).