One of the largest password managers has its second major data breach.

This is bad news:

One of the world’s biggest password managers with 25 million users, LastPass, has confirmed that it has been hacked. In an advisory published on August 25, Karim Toubba, the LastPass CEO, said that an unauthorized party had stolen “portions of source code and some proprietary LastPass technical information.”

What was accessed during the LastPass network breach?

The breach appears to have been of the development servers, facilitated by a compromise of a LastPass developer account and took place two weeks ago. Incident responders have contained the breach, and LastPass says there is no evidence of further malicious activity. Toubba also confirmed that neither has evidence been found of any customer data or encrypted password vaults being accessed.

Has your LastPass master password or password vault been compromised?

LastPass users will, of course, be concerned that a hacker could have got hold of the keys to their online kingdom: their passwords. However, LastPass has made it clear that, courtesy of the ‘zero knowledge’ architecture implemented, master passwords are never stored. “LastPass can never know or gain access to our customers’ master password,” Toubba said, “this incident did not compromise your master password.” As such, LastPass says that no action is required by users in regard to their password vaults.

Not their first rodeo

While LastPass should be congratulated for the transparency being displayed in response to this incident, it isn’t the first time that users of the password manager have had to deal with news of a breach. In June 2015, the company confirmed that hackers had accessed the network. Then, unlike now, users were prompted to change master passwords when logging in.

I use a password manager because I never use the same password twice for any app or web site, and I use long secure passwords my password manager picks for me. Then it saves those passwords in my password vault for easy reference.

The downside of this: my entire financial, business and personal life would be exposed to bad actors if that vault were ever compromised because the password manager company was sloppy about security.

It’s extraordinarily difficult to prevent every kind of network intrusion. Even the best security experts have a hard time keeping up.

But I’d be wary of LastPass if it ever happens again. And I don’t care how much the company says this latest breach didn’t expose customers’ password vaults, I’d change ASAP my master account password anyway.

Because LastPass is part of GoTo, a $1.262-billion dollar company. Companies that large cannot be trusted to tell the entire truth on something that would so obviously endanger their bottom line.

Leave a Reply