Password manager LastPass has been hacked by cyber attackers who stole people’s secrets.
But that private information – which largely includes passwords for other websites, and so could be very powerful to hackers – is likely to remain impossible for users to access, the company claims.
LastPass is one of a range of password managers that allow people to create secure passwords for individual websites and then store them. That means that hackers should struggle to get into any of those websites, and that the impact of any hack on any individual service will be limited.
But it also means that any hack on the password manager itself could be disastrous, given that attackers could instantly gain accesss to a person’s whole digital life. There have been a number of such hacks in recent years.
In August, Lastpass announced that it had been hacked, but that no user information had been stolen. But it has now said that company information taken in that hack has been used to get back into its systems – and get away with people’s passwords.
The attackers were able to get away with a copy of a backup of customer data, the company said. That backup contains “both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data”, LastPass said.
The information that was encrypted before the attack remains that way, however, and so it should be very difficult for any attacker to get in. To do so, they will need the master password that unlocks that encryption and makes those passwords visible.
LastPass said that its password rules should make it very difficult for an attacker to do that. If a person had used the default settings, it would take “millions of years” to guess the password, it said.
Users should be cautious about any social engineering or phishing attacks that might happen as hackers attempt to get their password from them directly, however. It advised customers that LastPass will never send people a link and ask them to click on it, or ask for a password outside of the sign-in process.