No one’s safe from hackers — not even LastPass, a company that stores people’s passwords.
LastPass lets people store passwords online so they can access them all with a single master password.
It’s great, because you’re storing all your eggs in one basket. But that could also be a problem.
On Monday, LastPass announced that hackers broke into its computer system and got access to user email addresses, password reminders, and encrypted versions of people’s master passwords.
So keeping all your passwords in a single place on the Internet might not be such a great idea.
LastPass said it discovered the digital break-in on Friday. It’s still very early in its investigation, but if LastPass is right, hackers didn’t manage to grab plain text versions of the all-powerful master passwords.
Still, hackers grabbed encoded versions of people’s passwords. But if your master password is simple and common, like Password123, these hackers can crack it in no time. Hackers can also easily rent out computer servers and use computing power to decipher all the others.
“Attackers seem to have all they need to start brute-forcing master passwords,” said Tod Beardsely, a research manager at cybersecurity firm Rapid7.
Hackers also grabbed user password reminders. So, you’re out of luck if your question is something like, “Where were you born?” Anyone can figure that out using public records or social media accounts.
The potential damage here? Identity thieves might suddenly have access to important information such as email accounts, social media, banks, hospital records — everything.
Cybersecurity experts reacted strongly to the news. For months, many of them have touted LastPass and similar services as an elegant solution to one of today’s annoying problems of keeping track of multiple passwords.
Keeping the same password is reckless and remembering dozens is annoying. This third option relies entirely on trusting a company to protect them.
This hack reveals the flaw in that option.
“The recommended standard best practice is to use a password manager. It’s the best way to deal with the tragedy of passwords,” said Jon Oberheide, an executive at cybersecurity firm Duo Security.
Oberheide said he uses a password manager himself. There’s a caveat, though. Oberheide doesn’t use it for his critical accounts like Gmail or online banking.
In a blog post, LastPass urged users to quickly change their master passwords. And as every hacked company does, it assured users “security and privacy are our top concerns here at LastPass.”
David Longenecker, an independent cybersecurity expert in Texas, complained that LastPass posted a public blog post about the incident before warning its users to change their passwords.
“I would have preferred getting the PSA to change password from you, versus through the grapevine,” he wrote publicly to the company on Twitter.
As always, in this latest password database theft the only people who are protected are those who set up an extra security feature: two-step authentication, which requires a text message as a second passcode.