The popular password manager LastPass has confirmed today that a previous security breach that the company reported back in August 2022 was much more serious than it seemed. Indeed, the company has since discovered that an unknown hacker group gained access to backup data that includes encrypted and unencrypted information.

“The threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service,” the company explained.

Worse, hackers also copied a backup of customer data that “contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.”

The company emphasized that encrypted customer data “can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture.” LastPass also said that it’s not aware of hackers gaining access to unencrypted credit card data.

If customers’ passwords vaults can only be unlocked with their master passwords, LastPass emphasized that hackers may still try to guess customer passwords by using brute force, social engineering, or phishing attacks. It’s still highly recommended to change your LastPass master password, especially if it doesn’t respect the twelve-character minimum that has been the default setting since 2018.

If you had a weak master password, it’s also probably a good idea to change the passwords for all of the accounts you had in LastPass, just in case. While LastPass is continuing to investigate the security breach, it has also taken some actions to protect its infrastructure from future attacks. The password manager also promised to perform “an exhaustive analysis of every account with signs of any suspicious activity within our cloud storage service.”