The world’s most popular password manager admits to being hacked – how to protect personal information
Password management company LastPass admitted it had been hacked via a blog post on August 25, adding that after launching an immediate investigation, it had seen no evidence that this incident involved access to customer data or encrypted password vaults. Users’ private information, including passwords and login details linked to banking, shopping and social media accounts, is unlikely to have been compromised in this incident.
See: 9 bills you should never put on autopay
Find: 22 side gigs that can make you richer than a full-time job
CEO Karim Toubba said in the post that the company detected unusual activity within parts of the LastPass development environment two weeks ago.
“We have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of the source code and some proprietary LastPass technical information. Our products and services are operating normally,” Toubba wrote in the post.
In response to the incident, LastPass said it has implemented “containment and mitigation measures,” and has engaged a cybersecurity and investigative firm.
“While our investigation is ongoing, we have achieved a state of containment, implemented further enhanced security measures and see no further evidence of unauthorized activity,” Toubba added.
Steve Bassi — co-founder and CEO of PolySwarm, a decentralized, crowdsourced threat intelligence security provider — told GOBankingRates that LastPass has done a good job of quickly addressing the breach and communicating to users (and pros) what was affected.
“Despite this breach, users’ master passwords are not at risk of being compromised. That said, users are undoubtedly troubled by this incident, and the pros still have some questions about the security of the software supply chain of LastPass’s source code,” Bassi said. “Specifically, LastPass’ source code handles all users’ master passwords by necessity, so we really don’t want that to go back.”
Bassi said the hack highlights the growing threats to system security around the world, a common scenario in which hackers steal source code to understand how large-scale protection of secrets — passwords in this case — really work.
He added that while so much focus has been on Web3 network hacks recently, and rightly so, this incident also underscores the huge attack surface of “traditional” Web2 applications that we rely on every day.
“These threats are only growing, with a variety of lone and state-sponsored actors trying to penetrate private and public networks, and there is no shortage of potential security incidents, but there is a distinct lack of corporate cybersecurity efforts,” Bassi said. “This incident also highlights an important use case for leveraging remote and distributed threat detection workers that detect and prevent such hacks.”
As for what LastPass users can do to protect themselves right now, Bassi said it makes the most sense to wait for the company to audit its software supply chain and give users assurance that their next updates are built securely.
“IT managers who have large LastPass user bases should also be on the lookout for any credential spraying — that is, large amounts of failed logins across their user base — or unusual user login patterns in the coming days,” Bassi said. “Overall, this is another wake-up call. While separate passwords for each service in a password manager are best practices, there’s still no substitute for suspicious login vigilance across corporate and personal accounts.”
Discover: 8 purchases Retirees almost always regret
Live updates: Financial trends, Money news and more
Internet users should take care to increase their privacy settings where possible or prudent, as this may protect sensitive data (including personal financial data). “Whenever possible, you want to keep your online presence as private as possible — for example, locking down social media accounts so that only followers can see your posts,” Cybersecurity Magazine recommended. The publication also noted that you should vary usernames and passwords regularly, avoid phishing emails and enable multi-factor authentication.
More from GOBankingRates