A password manager is an excellent solution if you struggle to remember login credentials. It’s also a great way to come up with secure passwords that are incredibly difficult to hack. Unfortunately, this can quickly go sideways when the password manager is breached.
One of the most popular password managers is dealing with this right now. The company discovered that its system was hacked a few months ago, but more details have been released, making the situation worse than initially thought.
Keep reading for details on this frightening hack and a few ways to stay protected.
Here’s the backstory
LastPass announced in August that criminals accessed a cloud-based storage environment where the company keeps essential data. The company claimed that no user data was compromised (more on that below) but that “some source code and technical information were stolen from our development environment.”
According to LastPass, the hackers then launched a phishing campaign against an employee, “obtaining credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service.”
The virtual storage contained basic customer account information and related metadata, including:
- Company names.
- End-user names.
- Billing addresses.
- Email addresses.
- Telephone numbers.
- IP addresses from which customers were accessing the LastPass service.
Although stored in a proprietary binary format, the hackers also stole a backup of customer vault data which contains fully-encrypted sensitive fields such as website usernames and passwords, secure notes and form-filled data.
What does this mean? The criminal is in possession of sensitive data from LastPass, which includes company files and user data.
However, LastPass says that encrypted data was not compromised as these fields “remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture.”
If you’re a LastPass user and followed its default master password settings and best practices, the company says your data should be protected. But to be safe, it suggests changing passwords for all your stored accounts.
How to protect against the LastPass hack
LastPass also warns that cybercriminals might use brute force attacks to break into your main account. But even with sophisticated software, it is nearly impossible for them to break in due to hashing and encryption methods LastPass uses.
Another thing to watch for is phishing emails. Criminals piggyback on data breaches and hacks like this to trick people into clicking malicious links sent in phishing emails and texts. The message will claim to have important information relating to the hack when the message itself is the danger.
Here are a few things you can do to stay protected:
- Change your passwords regularly – Do this at least once every few months. If you haven’t done so, you should change your LastPass master password ASAP.
- Never use the same password for multiple accounts – Through a technique known as credential stuffing, hackers use the same stolen passwords on different services, hoping to find duplications.
- Where available, always use two-factor authentication – This additional security measure makes it difficult for hackers to break into accounts without the security code sent to your phone or an authentication app.
- Protect your data – Remember that LastPass will never call, email, or text you and ask you to click on a link to verify personal information.
- Antivirus is vital — Always have a trusted antivirus program updated and running on all your devices. We recommend our sponsor, TotalAV. Right now, get an annual plan with TotalAV for only $19 at ProtectWithKim.com. That’s over 85% off the regular price!
Surprise: Software that promises to ‘reveal’ naked pics plants password-stealing malware
More password-stealing apps spotted – Check your phone