LastPass used to be one of the best password managers, but more recently, its reputation has taken a hit from multiple security breaches. Now the company has confirmed the last one was really bad.

LastPass suffered a security breach back in August, when a hacker gained access to development environments and was able to steal source code and other proprietary information. Later in December, LastPass confirmed a hacker was able to use that data to “gain access to certain elements of our customers’ information.” The company didn’t clarify what “certain elements” meant, until now.

LastPass just disclosed the full scope of the attack, following an “ongoing investigation.” The hacker was able to access a cloud storage environment using data from the August security breach, which included “basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.” Credit card information was apparently not accessed.

The worst part is that the hacker successfully copied vault data from LastPass, though the company called it “a backup,” so it’s not clear how old the data is. The company claims the actual passwords are still safe, because they use 256-bit AES encryption based on a person’s master password. However, if someone’s master password can be obtained (for example, with a phishing email mimicking a LastPass login page), it could be possible to unlock the encrypted data and see all of someone’s passwords.

Even without the master password, the leaked data could be damaging for some LastPass users. Names and billing addresses can be used in more attacks, and the website addresses for stored passwords were not encrypted. Someone with the leaked data would be able to see all the websites that were associated with passwords, then use that for more targeted phishing. For example, if someone has a password for Bank of America’s website, they might have an account there, and would be an excellent target for phishing emails that look like account alerts from the bank.

This is just about the worst possible security incident imaginable for a password manager like LastPass — nearly all data in the company’s possession has been copied. Client-side encryption saved every password from being stolen, but as previously mentioned, all it takes is a weak master password or a phishing attack to unlock that data for an account. That, along with a poor track record of responding to security problems and multiple other recent breaches, is a good justification to stop using LastPass.

If you do use LastPass, you should change your master password as soon as possible, and be on the lookout for sketchy-looking emails for the coming weeks and months. You may also want to consider changing every password stored in LastPass — hackers now (probably) have that data too, they just can’t unlock it right now.

Source: LastPass