An online password manager can make your life much easier by automatically entering individual passwords for each website and service you visit. It is a very convenient tool – unless it is hacked.
In that instance, by discrediting a single password, cyber criminals can receive access to invaluable information, including banking credentials. LastPass, a popular password manager, has recently disclosed a network breach.
Attackers compromised user email addresses, password reminders, per-user salts and authentication hashes. The passwords themselves were not compromised, as the service doesn’t store them in its cloud. Nevertheless, LastPass recommends users change their LastPass master passwords and enable multi-factor authentication. Let’s give credit to the company: When LastPass found the breach, it quickly released a public warning.
To the hackers’ benefit, many large companies try keeping security breaches a secret, but not here. Still, potential consequences of the breach seem to be dubious. CEO and founder of LastPass Joe Siegrist claims that the incident will not influence “the vast majority of users”. Some researchers support this position, declaring there is no risk for users with strong passwords.
Other researchers consider that the breach can lead to a new wave of malicious activity aimed directly at LastPass users. Being armed with the list of real email addresses hackers can create a targeted phishing campaign to defraud the lacking data. For example, LastPass is advising users to change their master passwords.
What stops cybercriminals from spamming LastPass users with fraudulent letters, disguised as official ones? When people receive an unsuspicious email with warnings and recommendations from the “developers”, they can readily follow a link to change their master password — and give it right to the cyber criminals’ hands.
Here is what we can recommend to LastPass users:
- Follow official recommendations: Change your master password and enable multi-factor authentication. It would be absolutely great if you could enable it on other websites as well, e.g. on social networks and emails.
- Do not to click links in e-mail letters which claim they are from LastPass. These letters can be fake, that’s why it’s better to enter the url manually in your browser’s address bar.
- Be sure that you don’t use your master password on any other website. It’s always good to use different passwords for different services.
This is not the first time LastPass has had to deal with security issues. Last summer the University of California Berkeley revealed security flaws in five security managers, including LastPass. The other four were RoboForm, My1Login, PasswordBox and NeedMyPassword. As you may know, there is no perfect security solution. A company needs courage to take responsibility and reveal breaching incidents despite the risk of losing clients. Some LastPass users will want to switch to other services, while others will be loyal no matter what happens.
