After being hacked for the second time in as many years this August, password management app Lastpass announced Thursday that the latest breach was far more damaging than first reported, with the attackers in some cases making off with users’ password vaults. This means that thieves have entire collections of people’s encrypted personal data, if not a direct method to unlock it.

“During the August 2022 incident, no customer data was accessed,” explained LastPass CEO Karim Toubba. However, some of the app’s source code was lifted and then used to spearphing a Lastpass employee into giving up their access credentials, and then used those keys to decrypt and copy “some storage volumes within the cloud storage service.”

Among the encrypted data the hackers obtained were basic customer account information such as company names, billing, email and IP addresses; and phone numbers, Toubba continued. “These encrypted fields remain secure with 256-bit AES encryption and can only be decrypted using a unique encryption key derived from each user’s master password using our Zero Knowledge architecture,” Toubba said. “As a reminder, the master password is never known by LastPass and is not stored or stored by LastPass.”

Still, will you take the company’s word for it? I’m not. It will be a pain, but replacing all of your various existing website passwords with new ones—as well as choosing a new master password—may ultimately prove necessary to regain your online security. Or you can just tell Lastpass to go dig rocks and switch to 1Password or Bitwarden.