Hi there, after that LastPass breach, many people in the media are discussing the threats that are possibly coming up for the users whose vaults got copied.
Most experts say that the risk is generally low if that data encryption was properly done by LastPass and also if the users had a good master password. But one threat always comes up. The unencrypted URLs in the vault that are linked to the user's vault. This gives a good vector for phishing, they say.
Now my question, are there also unscripted data fields inside the 1P online vault? Is there a way for you to not have those? Since those are for fast lookup of available logins without encrypting every entry, one expert recommended like a two-level encryption where there is an E2E encrypted lookup list of all URLs and a corresponding ID of the vault entry connected to that URL. This list should be downloaded by the client and then being decrypted locally as soon as the user unlocks the client. By that, the user a fast look-up and the data is still E2EE on the server.
Thank you for that hint, but sadly this doesn't answer my question.
Ben mentioned there everything is encrypted. Also at LastPass everything was encrypted. But the URLs haven't been encrypted E2E from the user. Those have been server side encrypted and that server side encryption was broken because the hacker was able to get the keys from another LastPass server.
The question is if it is encrypted by the user client before uploading to the server with a key only the user has access to. Not if it is encrypted at all.
Everything in your vault is encrypted on your end.
I ended up answering a similar question in detail over on Reddit. Hopefully this helps.