Introduction
December blew in with bad news for users of the password manager service, LastPass. Just four months after a data breach back in August, another cyber event has hit the platform.
LastPass is a free service which, like many password managers, assigns users a “vault” to store and encrypt their site login credentials. LastPass fills these into the appropriate websites so that you don’t have to remember so many long, complex and varied passwords. It reminds you when you need to change passwords after you’ve used one for awhile, notifies you when you’re using the same password for two or more different profiles, and even generates secure codes so that you don’t have to worry about making up something unhackable.
(Did you know? Longer is stronger; the safest passwords use 12 or more characters.)
Unfortunately for users, none of that helps if the developer side of the platform gets breached.
What Happened in December?
Barely into December, the LastPass CEO, Karim Toubba, revealed that their team discovered odd activity on the Cloud that they share with their parent company, GoTo. Like many companies, LastPass relies on a third-party storage system because physical storage devices are often incompatible with the modern business owner’s needs, such as managing huge swaths of data from any location.
What’s worse: The two data breaches on LastPass are actually related. Back in August, the hackers logged into the developers’ side. Now, allegedly they couldn’t access customer data from that side of the platform. However, they did manage to acquire inside information from the source code and developers’ accounts, and that data then enabled them to breach into the LastPass cloud this time around.
Unlike the data breach that occurred in August, this time Toubba confirmed that users’ data may have been exposed in the leak.
What This Means for Users
The good news? Password managers encrypt your data before it’s stored in your vault, which can only be unlocked with your master password.
The bad news? These services don’t just handle passwords; you can load your credit card, ID and lots of other personally identifiable information (PII) into the vault to recall when you need it. The thought of all that data being compromised would put anyone on edge, no matter how well it’s disguised in the cloud!
Although your PII is encrypted, your name, billing and email addresses, and other profile information could have been exposed during a breach on the developers’ side. If you know your information may have been exposed in a recent hack, be extra wary of phishing scams coming your way!
You might also change some of your passwords to add some extra security to your accounts. Then set up multi-factor authentication, which requires an additional form of ID, like your fingerprint or a one-time password, to ascertain that it’s really you. Even if scammers leverage info stolen from your password manager, they won’t be able to access any of your accounts.
Conclusion
Password managers are supposed to keep our information safe. It’s an ironic and unfortunate day when those services are breached themselves. The fact is, though, that no one is safe from data breaches. It’s a question of if, not when, you may be exposed.
Understand the limitations of your password manager and see how they’ve responded to breaches in the past, take steps like setting up MFA to better secure your accounts, and stay aware of recent security incidents so that you can better protect your accounts and PII going forward. Although the affected service will keep you updated about what they’re doing to re-secure your information, the future of your PII and what you do with it rests with you!
References