LastPass Update on Stolen Passwords: Here’s What You Need to Know

LastPass has emailed its users to explain more about last December’s security incident in which several passwords and usernames were hacked. The company indicates that it has completed an extensive investigation and no longer sees any threat risks. However, there is still a big risk, what exactly should you do?

LastPass was hacked

Last December, we broke the news that hackers had managed to hack into LastPass. This allowed them to access multiple usernames and passwords. At the time, the hackers gained access to the LastPass password vault and copied passwords there. Fortunately, they can’t do anything with these passwords because they are protected by 256-bit AES encryption. You can read more about this in this article.

Related articles

E-mail and blog post with explanation

In response to the security incident, LastPass has now sent its users an email with more information about the incident. They refer in this email to a blog post they posted. In this message, the company answers the questions about what exactly happened, what the company has done to better secure its service and to which data the hackers have exactly gained access. Below we give you a summary of the answers given by the company.

What happened?

A vulnerability in third-party software has allowed adversaries to bypass LastPass’s existing protections. This gave them access to cloud backups and backup storage environments, among other things. For example, they gained access to unencrypted LastPass customer data, integration secrets and API secrets. Through the latter, she created an entrance to the LastPass system.

What data did the attacker have access to?

Among other things, the hackers had access to LastPass proprietary data and the company’s customer data. As described above, this includes usernames and passwords of LastPass users. They also had access to all sensitive customer vault data. The hackers have not had access to the master passwords – due to the 256-bit AES encryption.

What has LastPass done to make its service more secure?

LastPass indicates that they have introduced new security technologies in, among other things, the data centers, the cloud servers and the overall infrastructure. Below is the email LastPass sent to their customers. And again, the answers above are a very succinct summary. You can find the full answers from LastPass here.

What should I do?

We encourage our readers to look into alternatives to LastPass. Despite the fact that there is still a good chance that your passwords are safe with LastPass right now, there is a chance that more attacks on LastPass will follow. The source code of the password manager has been leaked, making LastPass vulnerable. If you do want to stick with LastPass, be sure to set new passwords with at least 12 characters. In the articles below you will find some of our tips.