Popular Password Manager LastPass Hacked Again in less Than Six Months
Earlier this week, popular password manager LastPass suffered a second hack in less than six months. According to LastPass, this hack involved an exploit in the company's browser extension that allowed hackers to access the passwords of websites that were using the extension. However, the exploit only allowed hackers to access hashed versions of the master passwords of LastPass users, and not the actual passwords themselves.
Nonetheless, LastPass has taken steps to reassure users that the passwords stored in their vaults remain secure. They are encrypted by military-grade AES-256 bit encryption and transmitted to the server using a separate hashing algorithm. In addition, LastPass is deploying a monitoring capability. In other words, LastPass is letting law enforcement and cybersecurity experts keep tabs on what's going on.
LastPass is a free password manager that helps users generate and store passwords for multiple accounts. It also features an Authenticator app for mobile devices. This app is one of the many elements of a multi-factor authentication scheme that makes LastPass more secure than it might seem.
LastPass was hacked for the first time in August. In this case, it was an exploit that allowed hackers to access the email addresses, password reminder questions and hashed master passwords of LastPass users. The exploit was relatively small, and the company has since patched up the flaw.
LastPass was hacked for a second time in late December. In this case, an unauthorized party broke into the company's development environment and accessed a portion of the source code. However, LastPass CEO Karim Toubba said that the exploit was not all that big a deal and that the company did not have any reason to suspect that the hacker had gained access to the customer data. The company is currently investigating the incident, but has not said whether the data was actually compromised.
The last time LastPass was hacked, the company did not mention the specifics of the hack, but did say it had hired Mandiant, a top cybersecurity firm, to help investigate the incident. According to LastPass, the security company's team discovered a problem two weeks ago. It also revealed that it had engaged an encrypting hashing algorithm called the Zero Knowledge Architecture to help safeguard its customers' information. This hashing algorithm is supposed to add another layer of security to the password manager.
The company also revealed that its chief technology officer was responsible for the aforementioned feats. He said the best way to protect your passwords was by using the appropriate password management system. While the company has not stated which password management system is the best, LastPass recommends using the password manager that has the best features, such as a strong encryption system, multi-factor authentication, and an online backup. The company's website also has a page describing the LastPass Account Recovery process.
In addition to this security incident, LastPass has had other vulnerabilities in recent years. It was hacked in 2012, and again in 2015. Its reputation was tarnished by this incident, although the company was able to patch up the problems quickly.