Hackers see password managers as the ultimate grail. As soon as they have access to such a service, they will have complete freedom to investigate their target’s entire digital footprint. Hackers have been verified to have stolen encrypted copies of password vaults at LastPass after an assault in August, confirming the worst-case scenario that many users had feared would happen. The only remaining safeguard is the master password set by each individual user.

The issue was documented in a blog post by LastPass. This information pertains to a story we ran back in August. LastPass had said that no user information was compromised and that the hackers had only acquired access to the code repository and a test environment. The hackers then used this information to get into the account of a LastPass worker and steal copies of user vaults that had been stored in the cloud.

According to LastPass, even though these backups contain certain plaintext fields like website URLs, all of your private data, including login credentials, is encrypted during storage. Users’ master passwords safeguard this information, but LastPass doesn’t keep them on file, making it very difficult for the firm to disclose them. With access to the vaults, though, hackers may try several combinations until stumbling across the correct one.

LastPass guarantees your security if you follow their recommendations for creating strong passwords and never reuse passwords. In the case of a strong password, it may take hundreds of thousands of years, if not millions, to crack it. However, you should still be aware of phishing attacks that aim to coax you into divulging your master password. If you use LastPass or another password manager, you will never get a request to verify your master password through email, text message, or any other channel.

The impending Christmas holiday season does not help matters when news breaks that hackers have gained access to users’ LastPass vaults. It’s possible that many businesses’ IT staff in charge of password security will be on vacation, and that individual users will be preoccupied with holiday plans such as seeing loved ones and finishing their shopping. The fact that LastPass’s blog post spends several paragraphs discussing the attack’s background rather than simply stating, “Vaults have been accessed,” doesn’t help matters, either.

Another data breach occurred at the organisation utilising the same information stolen in the previous incident. At that moment, a service provided by a third party was disrupted. In 2021, some customers were given another shock when they were notified that logins to their vaults from other parts of the globe had been restricted. However, these notifications had been issued in mistake or were a result of people reusing their master passwords on other sites.

If you haven’t already done so, we urge you to move to a rival company. Your master password may be secure, but it’s still a good idea to update the passwords for all of your other accounts as well. After all, technological advancements in the field of computing imply that the vaults’ encryption may be broken in the not-too-distant future.

The market is flooded with excellent password managers, many of which are cheaper than LastPass. You should use a master password and a two-factor authentication software to secure your password manager.