For a company supposed to keep your digital secrets safe, LastPass has certainly had a tough time lately. The password management service has revealed it’s been hacked…again.
It’s the second time the popular LastPass service (which protects users’ passwords, sensitive information, card details and more behind a single super-strong ‘master’ password) has been hacked in just six months. And to make matters worse, even LastPass itself doesn’t seem sure what was hit.
While a company blog post says that “customers’ passwords remain securely encrypted due to LastPass’s Zero Knowledge architecture,” it also admits that “certain elements” of “customers’ information” were accessed by the hacker.
A history of hacks
“In keeping with our commitment to transparency, I wanted to inform you of a security incident that our team is currently investigating,” wrote LastPass CEO Karim Toubba.
“We recently discovered unusual activity in a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo. We immediately launched an investigation, engaged Mandiant, a leading security firm, and notified the police.
“We are working diligently to understand the scope of the incident and identify what specific information was accessed.”
One thing seems certain – this hack is directly related to one that happened back in August of this year, and may even have been perpetrated by the same person. According to Toubba:
“We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to access certain portions of customer information.”
Time to adopt Apple Passkey?
While the LastPass app and password vault remains one of the most intuitive and useful in the business, remembering all those cryptic passwords so you don’t have to, its entire reputation rests on its ability to keep those secrets safe. If it can’t do that (and LastPass has suffered from a number of vulnerabilities over the years) the whole reason for existing crumbles.
However, such errors could represent a major opportunity for Apple. This year it has pushed the Passkeys feature, which looks to do away with alphanumeric passwords entirely in favor of cryptographic keys, end-to-end encrypted, locked behind a user’s TouchID and FaceID data.
Passkey adoption has begun to roll out with the introduction of iOS 16, but it will take some time for all websites and services to integrate it into their security layers.
If Passkey can prove to be more secure than services like LastPass, and just as convenient, it could completely reshape the password and personal digital security landscape.