- DevOps Secrets – restricted secrets that were used to gain access to our cloud-based
backup storage.
- Cloud-based backup storage – contained configuration data, API secrets, third-party
integration secrets, customer metadata, and backups of all customer vault data. All
sensitive customer vault data, other than URLs, file paths to installed LastPass Windows
or macOS software, and certain use cases involving email addresses, were encrypted using
our Zero knowledge model and can only be decrypted with a unique encryption key
derived from each user’s master password. As a reminder, end user master passwords
are never known to LastPass and are not stored or maintained by LastPass – therefore,
they were not included in the exfiltrated data.
- Backup of LastPass MFA/Federation Database – contained copies of LastPass
Authenticator seeds, telephone numbers used for the MFA backup option (if enabled), as
well as a split knowledge component (the K2 “key”) used for LastPass federation (if
enabled). This database was encrypted, but the separately-stored decryption key was
included in the secrets stolen by the threat actor during the second incident