Many of you likely use a password manager in order to store and recall your account logins across the internet. For me and perhaps even you, Google Passwords is sufficient and simple enough to do this. For others who prefer to feel more protected and separate their data from Google as a tech giant, Dashlane or LastPass are more viable options.
LastPass has a motto – “The last password you’ll ever need”. If you lose that master password, you simply can’t get into your account to see all of your others. If you think about it, this isn’t very unique anymore, because if you lose your Google account password, you can’t see all of your others either. The difference is that with LastPass, it’s nearly impossible to perform a password recovery.
Well, for you that is. Hackers have found a way to gain access to your “vault” where everything else is stored. In a blog post, the company reveals a “recent security incident” (from August) that led to an “unauthorized party gaining access to a third-party cloud-based storage service” where LastPass keeps backups of its production data.
You heard that right – hackers have compromised an off-site data bank where your information is being stored. Did you even know the company used a third party to store your passwords in this production setup? I sure didn’t. Anyway, you shouldn’t be surprised by this, because everyone and their hacker grandma is trying to bust into LastPass since it’s a high-value target for sensitive information.
If you use the default settings (password best practices) it would take millions of years to guess your master password using generally-available password-cracking technology. Your sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass’ Zero Knowledge architecture. There are no recommended actions that you need to take at this time.
However, it is important to note that if your master password does not make use of the defaults above, then it would significantly reduce the number of attempts needed to guess it correctly. In this case, as an extra security measure, you should consider minimizing risk by changing passwords of websites you have stored.LastPass Blog
The password service states that your data was still encrypted at the time of the breach, and so long as you used its recommended best practices for choosing your master password – a set of characters that are never known to LastPass directly – you shouldn’t need to take any action right now in light of the incident.
However, data was stolen, and while usernames and passwords were encrypted, some unencrypted information like website URLs was visible to hackers. Even more alarming is the fact that if you did not follow best practices while setting up your master password, these bad actors could potentially brute force their way into your vault by guessing your password, using a rainbow table, or any number of other combination generation solutions.
With so much controversy and so many hacking attempts surrounding LastPass in recent years, I would say that hackers may get lucky sooner or later. If I were you, I’d switch to a different service altogether, but the choice is yours.