LastPass, the popular password management service, has suffered yet another data breach, raising serious concerns about the security of its users’ accounts. The latest breach, which occurred in March 2023, has exposed critical corporate vaults and encryption keys, putting millions of users at risk.
Key Takeaways
- LastPass has experienced multiple data breaches, with the latest one occurring in March 2023.
- Hackers have obtained access to critical corporate vaults and encryption keys.
- 30 million LastPass users are at risk, along with users of other GoTo products.
- Experts question the effectiveness of LastPass’ security measures.
The Latest Breach
In a March 1 update, LastPass announced that the hacker behind the previous breach in August 2022 had hacked a senior engineer’s home computer. This breach allowed the hacker to access a critical corporate vault available to only four top employees. The vault contained encryption keys for 30 million customer vault backups stored on Amazon web servers, as well as decryption keys needed to access various cloud-based storage resources and critical database backups.
Previous Breaches
LastPass has been struggling with data breaches since last year. On December 22, 2022, the company revealed that hackers had obtained extensive information from user accounts, including billing and email addresses, end-user names, telephone numbers, and IP address info. Customer vault data, which includes both unencrypted data like website URLs and encrypted data such as usernames and passwords, was also leaked.
In January 2023, LastPass’ parent company GoTo revealed that the initial hack had also affected several of its other products, including Join.me, Remotely Anywhere, Hamachi, and Central. Encrypted backups and encryption keys for these services were also stolen.
Risks for Users
All 30 million LastPass users with data stored on the company servers as of August 2022 are at risk. Hackers now have a copy of your entire password vault. If they manage to crack your master password, they can take over your online life, gaining access to emails, bank accounts, healthcare data, tax information, and social media accounts.
The risks are similar for users of other GoTo products like Join.me, Central, Remotely Anywhere, and Hamachi. Hackers can use the stolen private information to disrupt other parts of your digital life. GoTo has reset potentially compromised passwords and reauthorized hacked MFA settings where applicable.
Expert Opinions
Cybersecurity experts have raised concerns about LastPass’ recent updates. Wladimir Palant, security researcher and creator of AdBlock Plus, criticized the company’s statements as being full of omissions and half-truths. Senior security researcher John Scott Railton considers the hack a far more grave threat than reported. Yahoo’s senior information security engineer Jeremi Gosney also criticized LastPass’ approach to security, noting the numerous breaches over the past decade.
How to Protect Yourself
If you’re a user of LastPass or other GoTo products, consider all of your stored data at risk. Here are some steps you can take to protect yourself:
- Immediately update the passwords and MFA settings for your critical online accounts.
- Prioritize email accounts, banking, taxes, credit cards, insurance, healthcare, and retirement accounts.
- Consider switching to other password managers like Bitwarden, 1Password, or Dashlane.
- Choose a strong master password with a minimum of 12 random characters.
- Create an account on the hacking alert website Have I Been Pwned? to receive updates on any breaches affecting you.
By taking these steps, you can mitigate the risks and protect your online life from potential threats.
Be the first to comment