LastPass owner confirms worst fears: stolen customer vault data
Maybe it’s finally time to drop LastPass completely.
Time to change all your passwords, folks! LastPass’ parent company, GoTo, announced hackers gained access to customer data, the data LastPass originally claimed hackers didn’t gain access to.
For context, LastPass is one of the world’s most popular password management apps. You store your passwords in the app, so you don’t have to remember them all.
Back in November, LastPass reported an incident where they believed hackers gained access to their systems.
According to GoTo, the November security breach resulted in hackers making off with some of the encrypted data belonging to its customers.
Here’s the snippet of GoTo’s announcement below:
“Our investigation to date has determined that a threat actor exfiltrated encrypted backups from a third-party cloud storage service related to the following products: Central, Pro, join.me, Hamachi, and RemotelyAnywhere,” GoTo CEO Paddy Srinivasan, wrote in a blog post.
“We also have evidence that a threat actor exfiltrated an encryption key for a portion of the encrypted backups. The affected information, which varies by product, may include account usernames, salted and hashed passwords, a portion of Multi-Factor Authentication (MFA) settings, as well as some product settings and licensing information. In addition, while Rescue and GoToMyPC encrypted databases were not exfiltrated, MFA settings of a small subset of their customers were impacted.
In case you missed that last key piece: “affected information, which varies by product, may include account usernames, salted and hashed passwords, a portion of Multi-Factor Authentication (MFA) settings.”
In other words, that means usernames, passwords, and other sensitive settings. That’s literally all the things GoTo’s LastPass is supposed to keep away from hackers.
On a lighter note, Srinivasan adds that some passwords were scrambled to make it harder for the hacker to access them.
Here’s my question: if they could penetrate LastPass and other services, what’s stopping them from unscrambling the data?
Who’s responsible here? Sure, obviously, the hackers. But that’s what hackers do, they hack. So who else is a fault here?
Could it have been the company whose sole purpose is keeping people’s information and data secure and private, like GoTo?
There’s a pattern here, and it’s pretty simple really: LastPass is really bad at offering the core services they promote to its customers. Seriously, this isn’t a one-time incident. Look at some of the stories we covered in the past two years:
Yea, certainly is not a good look.
Next steps for LastPass customers
So what should LastPass customers do in the meantime? My first suggestion? Cancel whatever subscription you have with LastPass. They’re clearly not in a position to handle your data.
And if you plan to cancel LastPass and need a new option, we recently published this updated piece of the best free password managers.
And if you decide to stay with LastPass, at the very least, GoTo is putting some extra security systems in place.
For example, resetting affected users’ passwords and migrating accounts to a more advanced Identity Management Platform with enhanced security features.
Now, excuse me while I go cancel my LastPass subscription.
- Twitter data breach exposes millions of email addresses
- Plex users: Reset your password – a data breach has you at risk
- Twitter will now remember your preferred timeline on desktop
- New Riot Games hack will delay future game updates
Just a heads up, if you buy something through our links, we may get a small share of the sale. It’s one of the ways we keep the lights on here. Click here for more.