Cybercriminals Stole LastPass Customers' Encrypted Password Vaults

TikTok employees tracked multiple journalists and accessed their data, TikTok proposes new layers of government oversight, Meta offers to pay $725M to settle class-action lawsuits, much more

Happy holidays to our valued readers. Barring a cybersecurity crisis, Metacurity will not publish again until January 2. We wish you all a very warm holiday break.

Password aggregator LastPass issued an update on a data breach disclosure it issued earlier this year, saying that cybercriminals stole its customers’ encrypted password vaults, which store its customers’ passwords and other secrets.

LastPass CEO Karim Toubba said the intruders took a copy of a backup of customer vault data using cloud storage keys stolen from a LastPass employee. The cache of customer password vaults is stored in a “proprietary binary format” that contains both unencrypted and encrypted vault data, but technical and security details of this proprietary format weren’t specified.

The unencrypted data includes vault-stored web addresses, but LastPass does not say more or in what context, nor is it clear how recent the stolen backups are. LastPass said customers’ password vaults are encrypted and can only be unl…