LastPass password manager hacked by cyber attackers who stole people’s secrets
Passwords and other private information should be hard for attackers to actually see, company advises
Your support helps us to tell the story
From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.
At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.
The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.
Your support makes all the difference.Password manager LastPass has been hacked by cyber attackers who stole people’s secrets.
But that private information – which largely includes passwords for other websites, and so could be very powerful to hackers – is likely to remain impossible for users to access, the company claims.
LastPass is one of a range of password managers that allow people to create secure passwords for individual websites and then store them. That means that hackers should struggle to get into any of those websites, and that the impact of any hack on any individual service will be limited.
But it also means that any hack on the password manager itself could be disastrous, given that attackers could instantly gain accesss to a person’s whole digital life. There have been a number of such hacks in recent years.
In August, Lastpass announced that it had been hacked, but that no user information had been stolen. But it has now said that company information taken in that hack has been used to get back into its systems – and get away with people’s passwords.
The attackers were able to get away with a copy of a backup of customer data, the company said. That backup contains “both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data”, LastPass said.
The information that was encrypted before the attack remains that way, however, and so it should be very difficult for any attacker to get in. To do so, they will need the master password that unlocks that encryption and makes those passwords visible.
LastPass said that its password rules should make it very difficult for an attacker to do that. If a person had used the default settings, it would take “millions of years” to guess the password, it said.
Users should be cautious about any social engineering or phishing attacks that might happen as hackers attempt to get their password from them directly, however. It advised customers that LastPass will never send people a link and ask them to click on it, or ask for a password outside of the sign-in process.
Join our commenting forum
Join thought-provoking conversations, follow other Independent readers and see their replies
Comments