Change your LastPass Master Password — security incident no longer just a rumor
So, we’ve got good news and bad news. Good news is that the hacking attempt against LastPass from this August didn’t result in any user data getting stolen. Yay! However, it did allow hackers to steal some knowhow, which enabled them to target a LastPass employee, through which they — well — stole user data. Boo!
Now, we’ve got to commend LastPass for remaining transparent as per its own promises and sharing the story via a blog post. While it’s easy to make a jab here, we’re also certain that the situation is difficult for them as well.
While the hackers didn’t get any live data — as in up-to-date info, which is being stored and used in real time by LastPass servers — they did get their hands on backups. Since most people aren’t in the habit of randomly changing their passwords, in most cases these backups probably, maybe contain relevant information.
Suffice to say, in some cases, the malicious third party may have their hands on a full package of user data. No good at all. But what about usernames and passwords — the main types of data, which the company handles?
Well, those have been stolen too; however, they remain encrypted. That means that thanks to LastPass’ Zero Knowledge architecture, the culprits won’t be able to figure any of them out, until they know your master password.
While the hackers didn’t get any live data — as in up-to-date info, which is being stored and used in real time by LastPass servers — they did get their hands on backups. Since most people aren’t in the habit of randomly changing their passwords, in most cases these backups probably, maybe contain relevant information.
Here’s a list of the types of info which is confirmed to have been retrieved:
- Company and user names
- Billing addresses
- Emails
- Mobile numbers
- IP addresses
Suffice to say, in some cases, the malicious third party may have their hands on a full package of user data. No good at all. But what about usernames and passwords — the main types of data, which the company handles?
Well, those have been stolen too; however, they remain encrypted. That means that thanks to LastPass’ Zero Knowledge architecture, the culprits won’t be able to figure any of them out, until they know your master password.
What should I do to keep my LastPass account safe?
At this point, the call to action should be obvious: change your LastPass master password, folks! And make sure to stick to the best password-related practices that the company has shared.
As claims stand, if you were to utilize them, the hackers would need quote-on-quote “millions of years” in order to brute force — guess, but in IT terms — your passwords with current day technology.
Another thing that you should do is remain vigilant for social engineering or phishing attempts, even if you did change your passwords. These are often emails or DMs that try to convince you to give them your login info, through making you feel pressured to share.
This is your kind reminder that no respectable company out there would ever do that. If they do, you should definitely question their respectable-ness. And a good means of questioning is by double checking.
For example, if — presumably — your bank calls and asks for your online banking information, try to postpone the call in order to call your actual, non-presumed bank, and ask them if they just called you to ask for that info. The answer will likely not be shocking.
As claims stand, if you were to utilize them, the hackers would need quote-on-quote “millions of years” in order to brute force — guess, but in IT terms — your passwords with current day technology.
Another thing that you should do is remain vigilant for social engineering or phishing attempts, even if you did change your passwords. These are often emails or DMs that try to convince you to give them your login info, through making you feel pressured to share.
For example, if — presumably — your bank calls and asks for your online banking information, try to postpone the call in order to call your actual, non-presumed bank, and ask them if they just called you to ask for that info. The answer will likely not be shocking.
This image is here primarily for ironic and comedic purposes, due to its text.
So given that this December is starting to feel like a rerun of last December (when LastPass users reported odd login attempts), we’ve got to ask: what is the company doing in order to prevent future mishaps? Well, they’ve been transparent regarding this too.
Honestly, they are doing the best possible thing: eliminating everything that has something to do with the stolen know-how and rebuilding a brand new system from scratch, with enhanced protection and alert mechanisms.
LastPass CEO Karim Toubba stated that as of now, there is no need to take further action. They even go as far as saying that if your current master password complies to the aforementioned best practices, you can even go on without changing it.
But, though the nature of life is such that few things remain consistent over time, one thing always does: better safe than sorry. We strongly recommend that you familiarize yourself with how to build a strong password and utilize that knowledge to its full extent.
Honestly, they are doing the best possible thing: eliminating everything that has something to do with the stolen know-how and rebuilding a brand new system from scratch, with enhanced protection and alert mechanisms.
LastPass CEO Karim Toubba stated that as of now, there is no need to take further action. They even go as far as saying that if your current master password complies to the aforementioned best practices, you can even go on without changing it.
But, though the nature of life is such that few things remain consistent over time, one thing always does: better safe than sorry. We strongly recommend that you familiarize yourself with how to build a strong password and utilize that knowledge to its full extent.
Things that are NOT allowed: