Update: On December 22, LastPass published a new blog post with further information about leaked customer information, saying that account information such as billing addresses, email addresses, end-user names, telephone numbers, and IP address info were obtained. Also leaked was customer vault data, which includes unencrypted data such as website URLs and encrypted data such as website usernames and passwords, secure notes, and form-filled data.
You can read more about the information lost in the company’s blog post, as well as its full explanation of what’s happened so far and the steps the company is taking next. If you’re a LastPass customer, your best protection is to use a strong random password that’s never been used elsewhere. You can also choose to switch providers—our round-up of the best password managers has suggestions beyond LastPass that you can try.
LastPass has had a terrible year. The well-known password manager was the victim of a security breach in August, when hackers gained access to the company’s development environment. LastPass said at the time that its users were unaffected by the theft of some of its source code and confidential technical information.
Now, consumers are being affected by a second hacking incident at the same organisation. On Wednesday, LastPass said on its blog that it has discovered suspicious behaviour in a separate cloud storage provider. So far, the investigation has shown that “some parts of customers’ information” were accessed, and that this breach was likely the result of information obtained during the event in August 2022. Due to the continuing nature of the inquiry, no more details are currently available. Passwords are still secured, according to LastPass.
Even while the service has received praise from critics (including us) for the quality of its day-to-day operations, you have every right to be uneasy about this development. LastPass has been hacked in the past, most notably in 2015 when email addresses, password reminders, and authentication hashes were stolen from user accounts. Also in 2017, a security flaw in a browser extension made it possible for websites to harvest users’ credentials. The same security researcher who found the 2017 bug also found a weakness in a browser extension in 2019 that exposed the user’s most recently used password. A security alert email was issued to clients who had not been compromised by a credential stuffing attack, just one example of a communication gaffe committed by the organisation.
If you’re concerned about security, you may simply switch to another top-tier password manager that hasn’t recorded nearly as many problems over the years. You may check your LastPass account’s security to see whether it conforms to industry standards, such as using a complex password, activating two-factor authentication, and keeping a careful watch on approved devices.
However, although this openness may be unsettling, the problem isn’t with the idea of a password manager per se. Even in the wake of security breaches, they continue to be an essential aspect of internet security, and there are methods to make them more convenient to use. Avoid completely giving up on them.
Subtly charming pop culture geek. Amateur analyst. Freelance tv buff. Coffee lover