Usually, password managers are one of the best ways to increase the security of your online accounts. It is indeed a question of storing everything in a space encrypted by a particularly strong master password. But while the first versions of these password managers such as 1Password only worked locally, the whole industry has moved to the cloud for a few years.
This poses real security risks. Risks become very real to LastPass customers. In early August 2022, the firm revealed that it had been the victim of a hack. An unauthorized person gained access to part of the LastPass development environment using a compromised developer account. The firm then assumed that the hackers had stolen portions of the company’s proprietary code, as well as technical information.
Hackers successfully stole LastPass customers’ secure vaults, firm admits
Nothing too serious, we thought then. Then in November LastPass revealed to have been targeted by a new hack. This time, an intrusion into the company’s systems, facilitated by the August hack, would have given hackers access to “certain customer data” without further details. The firm, however, seemed to ensure that no really sensitive data such as credit card numbers had leaked.
However, a few hours before the Christmas weekend, LastPass announces yet another very bad news with a new press release. Karim Toubba, CEO of the company, explains:
“The hacker was also able to copy a backup of customer vault data from an encrypted storage space, data stored in a proprietary binary format that contains both unencrypted data such as internet site addresses web, as well as much more sensitive fully encrypted fields such as passwords and site IDs, secure notes, and pre-fill data”.
According to the official, therefore, the hackers are in possession of potentially all of the customers’ secure password vaults. However, the most sensitive data contained by the latter remains encrypted according to the firm – and protected by the master password of the safe. As long as this password is complex, and is not reused elsewhere, the probability that it will be broken by hackers remains quite low.
However, there is one caveat: it is impossible to say with certainty that the data stolen by hackers is really as secure by encryption as the company claims. LastPass assures that the default settings for vaults “should” protect them from hackers (the conditional is part of the official statement).
In addition, accounts opened before 2018 are likely to be less secure. And the “unencrypted” part of the stolen data immediately gives an idea of the accounts that hackers can try to hack first. That’s why it’s recommended that you change your passwords if you’ve put everything into LastPass.
In addition, LastPass can be criticized for its reaction to the attack: the absence of additional information since November, and this press release three days before Christmas when the major IT departments of companies are downsized due to the holidays do nothing to restore confidence. This is why we also recommend that you consider a competitor password manager to secure your accounts.
It is possible to easily export your entire LastPass password database and import it to a new service.
