LastPass has issued a security advisory, notifying customers that the data breach it suffered in August was far worse than thought.

LastPass is a popular password management application. In August, the company informed customers that it had suffered a data breach, one in which “portions of source code and some proprietary LastPass technical information” was stolen. At the time, the company assured customers that no passwords were stolen or compromised.

The company has provided an update on the situation, informing customers that the data stolen in August was used to compromise an employee’s credentials and gain access to the company’s cloud-based storage service. As a result of this secondary breach, the hacker was able to download a backup copy of customer data vaults.

The company described the issue in its advisory:

To date, we have determined that once the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.

The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.

Despite the severity of the breach, LastPass says customer passwords are still secure…at least for now. The company says encrypted fields are protected using 256-bit AES encryption, with the encryption key based on the user’s master password. Between the strong encryption and the fact that LastPass does not have access to a user’s password, theoretically, users’ password vaults should still be secure.

Despite the assurance, LastPass says all users should immediately change their master passwords to prevent any risk of the hackers using brute force attacks to try to access the vaults or use some of the unencrypted data in phishing and scam attempts.

The threat actor may attempt to use brute force to guess your master password and decrypt the copies of vault data they took. Because of the hashing and encryption methods we use to protect our customers, it would be extremely difficult to attempt to brute force guess master passwords for those customers who follow our password best practices. We routinely test the latest password cracking technologies against our algorithms to keep pace with and improve upon our cryptographic controls.

The threat actor may also target customers with phishing attacks, credential stuffing, or other brute force attacks against online accounts associated with your LastPass vault. In order to protect yourself against social engineering or phishing attacks, it is important to know that LastPass will never call, email, or text you and ask you to click on a link to verify your personal information. Other than when signing into your vault from a LastPass client, LastPass will never ask you for your master password.

LastPass’ revelation is a disturbing one, given the popularity of the application and the important role it plays in the cybersecurity of countless individuals. One can only hope the company will take drastic steps to ensure such a breach doesn’t happen again.