LastPass has been breached, change your password
Every website under the sun wants you to have a unique password, one that you haven’t used elsewhere online. Unless you’re Raymond Babbitt, it’s almost impossible to remember each of these permutations, and that’s why password managers such as LastPass exist.
We place our trust in these password managers to centrally manage all of our passwords online, requiring us to remember only one login. However, it seems that not even those cloud-based vaults are safe from password hacks as LastPass warned this morning that it had been breached.
In an alert posted to its blog, and emails sent out to users, LastPass revealed that on Friday 12 June its team “discovered and blocked suspicious activity” on its network.
While this may be alarming, LastPass has “found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed”. However, according to its findings “LastPass account email addresses, password reminders, server per-use salts, and authentication hashes were compromised”.
What does this mean for LastPass users? It means you need to change your LastPass master password. In addition, if that master password is the same as another password you use, you’ll need to change that one too.
For the time being, LastPass is taking additional measures in order to stay secure. All users logging in from a new device or IP address will now have to verify their account via email. Those using two-factor authentication will be able to skip this step.
While using LastPass is, theoretically, rather safe due to its advanced password-hashing algorithms and inclusion of “salt” to mix up predictability, this breach stole something far more worrying: password reminders.
Password reminders are made up of either personal information or provide an obvious trigger to determine the password you’ve forgotten. With minimal online digging, a hacker with access to your email address alongside your password reminders could easily work their way into your accounts.
LastPass’ breach raises questions around password vaults in general. While it may be perfect for you to only need one password to log into all your sites, it also means a would-be hacker only needs to focus on only one place to blow your accounts wide open.
If you’re worried about staying safe online, Davey Winder gives you 5 ways to protect yourself online.
Disclaimer: Some pages on this site may include an affiliate link. This does not effect our editorial in any way.