LastPass, one of the most used password management services, has sent a security alert to its customers admitting that it was hacked a couple of weeks ago. On the positive side, it ensures have no evidence that customer data or encrypted password vaults have been compromised.
LastPass CEO Karim Toubba explained on the official blog that two weeks ago they detected signs of unusual activity in their development environment. After that, the company activated containment mode, implemented mitigation measures, partnered with a cybersecurity company, and began conducting a detailed investigation.
Although this investigation is ongoing, Toubba says that no signs of access to user data or encrypted password vaults have been detected so far, but it did steal data from the company itself, LastPass source code snippets, and proprietary technical documentation.
Although the details of the cyberattack and the group responsible are not known, the company has explained that an “unauthorized party” managed to gain access to a part of its development environments by compromising a single account of a programmer.
LastPass and the problem of hacking these big managers
Password managers are a great solution to manage access to the large number of Internet services where we are registered. This type of software reduces human errors in the handling of passwords, since it automates the generation and access process, avoids the problem of using multiple passwords and as a result it also helps against phishing attacks.
One of its great advantages is that the user you just need to remember one master password and the manager will do the rest. The problem is that if you get caught this password you can be considered dead, virtually. LastPass is one of the largest companies of its kind, claiming to have 33 million individual customers and 100,000 businesses.
It must be said that LastPass stores passwords in “encrypted vaults” that can only be cracked with a customer’s master password that even the company itself has no access to. That’s the theory. The company has been a frequent source of cyberattacks in the past for the reasons mentioned.
On this occasion, they say they have no evidence that the accounts have been accessed or that the general service has been compromised. In any case, until LastPass fully clarifies the situation, I would change the master password and above all would enable two-factor authentication to ensure that no external element accesses the accounts.
Another possibility is to use another type of manager, like some of these free and open source alternatives. They have the same problem if your master password is stolen for whatever reason, but, in general, they are still much more secure than user management itself.
