LastPass Hacked And Why I Have Never Used It

I have always felt the concept of LastPass as well as other password managers makes sense for users that would otherwise create simple ‘easy to remember’ passwords as opposed to long strong complex passwords with a password manager. Surely, having numerous passwords in the cloud encrypted is better than jotted down on a sticky note that resides under your keyboard, right? The reason I personally do not use password managers like LassPass is the distant fear of a major hack. What if my password manager gets hacked and a hacker gets my master password? This would be tantamount to giving a thief the keys to my front door when I am heading off to vacation.

It seems my fears, as well as many other security experts’ fears have come to fruition with the announcement that LastPass was a victim of a targeted attack in which user information was compromised. On Monday, June 15th, LastPass announced through a blog post that hackers had breached their databases and compromised email addresses and password reminders as well as encrypted master passwords. Apparently, they discovered the breach after detecting rather suspicious activity on their network.

What can hackers do with the compromised information?

Unfortunately, there is a percentage of LastPass users that will undoubtedly be the victim of targeted email phishing attacks as a result of this breach. Phishing is an effective, focused attack where the cyber thugs send victims emails with an embedded link that fools users into revealing more data. LastPass users have been informed by LastPass about this breach and they recommend that users update their LastPass master password. Cyber thieves have already keyed in on this and are no doubt, readying focused email phishing attacks that might have a message: UPDATE your LastPass master password immediately. An unsuspecting LastPass user may click on the attachment and be redirected to a site that looks awfully close to LastPass but is just there to collect more information from naive users. They would be prompted to enter their old master password and then asked to create a new complex strong secure password. Now the cyber hackers have the master password without having to steal it or decrypt it. The unsuspecting users have hand-delivered this information directly to the hacker’s servers.

Even though they did not get all the encrypted individual passwords, the breach could also result in other compromises such as unlocking a user’s email account where you need the email address and password reminder allowing them to gain access to your email and a trove of other valuable private information.

If the hackers are truly advanced there is a chance, although unlikely, that they can hack the encryption to crack the master password. This is extremely difficult, but then again, who would have thought a security company that provides encrypted password protection would ever be hacked in the first place? To make matters worse, this is actually the second breach that LastPass has faced. Four years ago, LastPass also faced a targeted attack.

What can LastPass customers do?

I highly recommend to anyone reading this to change your LastPass master password. Do not use passwords based on any personal information such as your spouse, child, or pet’s name, birthday, address, etc. Also make sure your password is not anything that can be easily obtained from a search or pulled from social media. Your master password should be at least 15 alphanumeric characters and have a mix of numbers, symbols, with both upper and lower case characters. Keep in mind, 80% of ALL security breaches involve stolen and weak passwords.

It is important if you are accessing your LastPass account remotely or from another device to utilize multi-factor authentication. This is an added layer of security that requires a single one time password that is sent to your mobile phone as a text, for example.

At the end of the day we all live in a corrupt world where cyber thieves prey on the innocent. This breach will certainly be a wake up to many users. I personally use a little black book that is kept under lock and key in a locked safe, in a locked room, in a locked building that is monitored 24/7 with cameras/DVR’s and an alarm. I change my long & strong passwords every three months and am a bit paranoid. I was not always this paranoid until my company was hacked; credit card, debit card, checking account, twitter account, web site, etc. I decided to share my trial and errors in being a victim of repeated hacks and what practical steps people can take to protect themselves.

Author
Recent Posts

Follow Scott

Scott Schober

BVS, Inc. CEO | Author | Speaker | Cyber Security & Wireless Expert at Scott Schober LLC

Scott Schober presents at cybersecurity conferences for banking, insurance, transportation, construction, telecommunications and law enforcement industries. He has overseen the development of dozens of wireless test, security, safety and cybersecurity products used to enforce a “no cell phone policy” in correctional, law enforcement, and secured government facilities. Scott regularly appears on network news programs including Fox, Bloomberg, Good Morning America, CNN, MSNBC, NPR and many more. He is the author of 'Senior Cyber', 'Cybersecurity is Everybody's Business' and 'Hacked Again', the “original hacker’s dictionary for small business owners” - Forbes Magazine.

Follow Scott

LastPass Hacked And Why I Have Never Used It

Comments

Leave a Reply Cancel reply

Videogame execs under siege by hackers according to report

Cybercrime breach statistics not to be ignored

Subscribe to Scott’s podcast

Contact