LastPass Password Manager Hacked – Here’s What To Do Now
A password manager is an excellent solution if you struggle to remember login information. It’s also a great way to come up with secure passwords that are incredibly difficult to hack. Unfortunately, this can quickly go sideways when the password manager is broken.
One of the most popular password managers handles this right now. The company discovered that the system was hacked a few months ago, but more details have been released, making the situation worse than first thought.
Keep reading for details on this terrifying hack and some ways to stay protected.
Here’s the back story
LastPass announced in August that criminals had access to a cloud-based storage environment where the company stores important data. The company claimed that no user data was compromised (more on that below) but that “some source code and technical information was stolen from our development environment.”
According to LastPass, the hackers then launched a phishing campaign against an employee, “to obtain credentials and keys used to access and decrypt some storage volumes in the cloud-based storage service.”
The virtual storage contained basic customer account information and related metadata, including:
- Company name.
- End user name.
- Billing addresses.
- E-mail address.
- Telephone numbers.
- IP addresses from which customers accessed the LastPass service.
Although stored in a proprietary binary format, the hackers also stole a backup copy of customer vault data that contains fully encrypted sensitive fields such as website usernames and passwords, secure notes and form-filled data.
What does this mean? Criminals are in possession of sensitive data from LastPass, which includes company files and user data.
However, LastPass says that encrypted data was not compromised as these fields “remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture.”
If you’re a LastPass user and followed default master password settings and best practices, the company says your data should be protected. But to be safe, it suggests changing passwords for all your saved accounts.
How to protect yourself from the LastPass hack
LastPass also warns that cybercriminals can use brute force attacks to break into your main account. But even with sophisticated software, it’s almost impossible for them to break in because of the hashing and encryption methods LastPass uses.
Another thing to look out for is phishing emails. Criminals piggyback on data breaches and hacks like this to trick people into clicking on malicious links sent in phishing emails and text messages. The message will claim to have important information related to the hack when the message itself is the danger.
Here are some things you can do to stay protected:
- Change your passwords regularly – Do this at least once every few months. If you haven’t, you should change your LastPass master password ASAP.
- Never use the same password for multiple accounts – Through a technique known as credential stuffing, hackers use the same stolen passwords on different services, hoping to find duplicates.
- Where available, always use two-factor authentication – This extra security measure makes it difficult for hackers to break into accounts without the security code sent to the phone or an authentication app.
- Protect your data – Remember that LastPass will never call, email or text you and ask you to click a link to verify personal information.
- Antivirus is important — Always have a reliable antivirus program up to date and running on all your devices. We recommend our sponsor, TotalAV. Right now, get an annual plan with TotalAV for just $19 at ProtectWithKim.com. That’s over 85% off the regular price!
Surprise: Software that promises to “reveal” nude photos plants password-stealing malware
More apps that steal passwords – Check your phone