Popular password manager hacked — What you need to know
Your account is only as secure as your password. When was the last time you did a password audit? By changing the way you create and store passwords, you can reduce your risk of getting hacked. Tap or click here for 10 password tips to secure your accounts.
A password manager is essential for modern internet users. These tools store and generate login information for all your devices and accounts. They can be installed as software or accessed through a website, browser extension or the cloud.
LastPass is a popular password manager that stores information beyond passwords, such as addresses, passports and credit cards. And if you’re a customer, we have some bad news. It’s been hacked. So what does this mean for you?
The attack
In a blog post, LastPass CEO Karim Toubba revealed that the company detected some “unusual activity within portions of the LastPass development environment” two weeks ago.
An investigation revealed that no customer data or encrypted password vaults were compromised.
The blog states that an “unauthorized party” got into the system through a compromised developer account and took some source code and proprietary LastPass technical information. “Our product and services are operating normally,” Toubba concluded.
While LastPass says there is no evidence that customer data or encrypted password vaults were compromised, the threat actors did steal portions of their source code and “proprietary LastPass technical information,” which could lead to compromises.
LastPass sent customers an email containing the same blog post information.
The response
LastPass contained the attack and hired a cybersecurity and forensics firm to investigate. According to the blog post, the incident has been contained, security measures were ramped up, and there’s no more evidence of malicious activity.
The blog post included answers to some concerns that users may have:
Were any master passwords compromised?
Your master LastPass password gives you access to everything in your account, including passwords, notes and form-fill items. LastPass says the incident did not compromise master passwords, as the company doesn’t store or have knowledge of that information (this is an excellent example of zero knowledge architecture).
Has any data within the vaults been compromised?
LastPass says that the incident occurred in the development environment, and there’s no evidence that anyone accessed the encrypted vault data. The company dropped a reminder that the zero-knowledge model only allows the customer to decrypt vault data.
Has any personal information been compromised?
According to the investigation, there’s no evidence of unauthorized customer data access.
What should be done?
LastPass says that no action must be taken by any users now. The company links to a best practices page, which contains password tips and links to the LastPass Authenticator app.
We strongly recommend using multi-factor authentication for all your accounts and devices.
How to get more information?
“We will continue to update our customers with the transparency they deserve.” Not much help there. Tap or click here for the LastPass customer support page.
What we recommend
Even if your data wasn’t accessed, the hackers may have information that could expose it down the line. Go ahead and change your master password ASAP. The instructions can be found here: support.lastpass.com/help/change-your-master-password.
Tags: cybersecurity, devices, hackers, internet, security, threat actors