LastPass, one of the most popular password storing platforms with over 33 million users, has confirmed it was hacked. The company in a blog post stated that it detected ‘unusual activity’ in its “LastPass development environment,” nearly two weeks back and launched an investigation.
LastPass admits that hackers likely gained access to some of its source code through “a single compromised developer account”. The hackers have stole some of the source code as well as “some proprietary LastPass technical information,” according to the company. However, LastPass maintains there is no reason to believe that hackers managed to access any customer data. Here’s everything to note.
LastPass hacking: What next?
According to LastPass, all of their “products and services are operating normally.” The company claims it has deployed “containment and mitigation measures, and engaged a leading cybersecurity and forensics firm.” The investigation is still ongoing into the hack and the company states it has “implemented additional enhanced security measures,” though it has not given details on the same.
LastPass hacking: Is your Master Password and other data safe?
The Master Password is the one used to access or log into your LastPass account. If this is compromised so is your account. Businesses also use LastPass and their employees likely have a Master Password as well to log in to their accounts. But LastPass states that the integrity of the Master Password is intact given they never store it.
“We never store or have knowledge of your Master Password. We utilize an industry standard Zero Knowledge architecture that ensures LastPass can never know or gain access to our customers’ Master Password,” the company states in its blog post.
Last Pass also insists no other user data has been compromised. It claims the security breach took place in the “development environment,” and that there is no evidence of “unauthorized access to encrypted vault data.” But this is still an ongoing investigation. It states that only the customer can decrypt all vault data.
According to the company, there is no evidence to show “any unauthorized access to customer data in our production environment.”
LastPass: What can users do?
LastPass is not recommending any action at the moment, for users and business account administrators. It has only recommended that users and businesses follow best practices. Some of the best practices according to LastPass, include:
Unique and strong master password: This is the password that gains access to your LastPass account where all other passwords are stored. The company recommends using a unique and difficult password with a minimum of 12 characters, which includes a mix of upper, and lower case characters, numbers and special character values. It also recommends using “a random, memorable passphrase” but one that cannot be guessed easily.
Users should not use personal information such as “pet names, street addresses, family names” for the master password.
LastPass also supports the option of using its own authenticator app for extra security. The app needs to be downloaded separately in addition to the main LastPass app. The app adds more security to prove your identity and this could be a password, a mobile device or a biometric. Users should also keep their recovery email updated. They can also add a set of trusted devices to their account.
What are the other password authenticators I can use?
Given the LastPass issue and if you feel the need for an alternative password management system, remember both Apple and Google’s Chrome offer this. In Apple, there’s iCloud Keychain, which is best suited for core Apple users– meaning those who have an iPhone and rely on an iPad, MacBook and Safari browser. Users can set this up with their Apple ID and save passwords and other secure information across devices. Apple’s iCloud keychain will also suggest strong passwords when you are signing or creating an account for a new service.
In iOS just go to Settings> Apple ID> iCloud and turn on iCloud Keychain. In macOS, you can see the ‘Passwords’ in the Settings section. Also, keep in mind that passwords you create on MacOS can be accessed on the iPhone. Apple’s Keychain will also tell you which passwords can be easily compromised, giving you the option to delete or update these.
There’s also Google Password Manager, available on Android and Chrome. It can sync across Chrome on your laptop, desktops, and your passwords can be accessed on your Android phone as well. The passwords are linked to your Google account. You might notice that every time you set up a new account or password on the Google Chrome browser, a little box pops up asking you to save the password. This is the Google Password manager. The passwords can be accessed across the device provided you sign in via the same Google account.