A security breach has been discovered within the LastPass password manager service. More information to come in the coming weeks. Keep your LastPass account safe by changing your master password and creating a new unique one-time recovery key.
The LastPass team is notifying all users of an incident that resulted in a security breach of their platform and data. A breach reportedly encompasses millions of user accounts, including master passwords for the service and: email addresses, encrypted passwords, API keys, site data, and authentication tokens. However, no other user-protected information was compromised in this incident.
Online services like these are vulnerable to external attacks due to the sensitive data stored by users that can be later used or resold by hackers. No known virus, malware, or phishing sites were used to gain entry into users’ accounts; instead, the attacker swapped user-inputted data and altered the LastPass platform around it.
The LastPass site was breached through a vulnerability within its system that was discovered in September 2016. To exploit this weakness, an attacker would have first gained access to the site through a web flaw that allowed users to log in without entering a password. The most likely method of entry would be exploiting standard social engineering techniques.
The LastPass team still needs to figure out how their system became vulnerable in the first place. In order to do this they might’ve utilized a virtual CSO or run penetration testing to reveal the vulnerabilities.
As of today the lastpass.com domain has been updated with new authentication measures and additional security features. Users can change their master password for LastPass if they have not yet done so. However, as time passes, this may become less secure, and it is suggested that users make this change on time.
Users can also remove non-essential apps from the LastPass service and disable unused browser extensions. This cleanup process can also help reduce the risk of user accounts being compromised in the future by hackers.
This incident has affected not only LastPass users but several other companies and organizations. Many LastPass customers shared their concerns with the company regarding their accounts, wondering whether or not this breach would affect their bills.
One of these companies is the popular social media platform – Twitter. LastPass confirmed that Twitter was indeed affected by the incident and that a small percentage of Twitter users had been affected by this data breach.
Hackers are using this event to push users and companies to gain access and control over accounts by sharing their concerns on social media to gain access to user information. Users are still determining whether or not they should trust the LastPass team and accept their offer to help reopen accounts to protect themselves.
The company is offering a free one-time password reset for all those whose passwords were exposed during this breach via email, which will allow them access to encrypted vaults containing sites’ data and login information. They also advise users to create a unique password and keep their passwords top secret.