Article: Mitchell Clark @ The Verge
Press release from LastPass
Last month, LastPass announced that it had a data breach that had "certain elements" of customer info go awry. Today, LastPass has announced that those "certain elements" were backups of customer account data (billing addresses, email addresses, telephone numbers, IP addresses) as well as a copy of "a backup of customer vault data." LastPass has stated that "encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass."
LastPass dropped the ball big time here. The fact that they haven't been transparent about these things and are so slow to make sure people know what's at stake for people is terrible. From the sound of it, all it takes is enough time to brute-force an account with a pisspoor password to lose important accounts or worse (please use two-factor authentication!!). If you're a LastPass user, please switch to either Bitwarden or some other solution that has a reputation for being reliable like 1Password or RoboForm (I'm surprised RoboForm is still around tbh).