Password management service LastPass was hacked in August 2022, and the attacker stole users’ encrypted passwords, according to a Dec. 23 statement from the company. This means that the attacker may be able to crack some website passwords of LastPass users through brute force guessing.

The statement from LastPass emphasizes that the service uses state-of-the-art encryption to make it very difficult for an attacker to read vault files without knowing the Master Password, stating:

“These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass.”

Even so, LastPass admits that if a customer has used a weak Master Password, the attacker may be able to use brute force to guess this password, allowing them to decrypt the vault and gain all of the customers’ website passwords, as LastPass explains: