LastPass owner confirms worst fears: stolen customer vault data


Time to change all your passwords, folks! LastPass’ parent company, GoTo, announced hackers gained access to customer data, the data LastPass originally claimed hackers didn’t gain access to.

For context, LastPass is one of the world’s most popular password management apps. You store your passwords in the app, so you don’t have to remember them all.

Back in November, LastPass reported an incident where they believed hackers gained access to their systems.

According to GoTo, the November security breach resulted in hackers making off with some of the encrypted data belonging to its customers.

Here’s the snippet of GoTo’s announcement below:

“Our investigation to date has determined that a threat actor exfiltrated encrypted backups from a third-party cloud storage service related to the following products: Central, Pro,, Hamachi, and RemotelyAnywhere,” GoTo CEO Paddy Srinivasan, wrote in a blog post.

“We also have evidence that a threat actor exfiltrated an encryption key for a portion of the encrypted backups. The affected information, which varies by product, may include account usernames, salted and hashed passwords, a portion of Multi-Factor Authentication (MFA) settings, as well as some product settings and licensing information. In addition, while Rescue and GoToMyPC encrypted databases were not exfiltrated, MFA settings of a small subset of their customers were impacted. 

In case you missed that last key piece: “affected information, which varies by product, may include account usernames, salted and hashed passwords, a portion of Multi-Factor Authentication (MFA) settings.”

In other words, that means usernames, passwords, and other sensitive settings. That’s literally all the things GoTo’s LastPass is supposed to keep away from hackers.

On a lighter note, Srinivasan adds that some passwords were scrambled to make it harder for the hacker to access them.

Here’s my question: if they could penetrate LastPass and other services, what’s stopping them from unscrambling the data?

Who’s responsible here? Sure, obviously, the hackers. But that’s what hackers do, they hack. So who else is a fault here?

Could it have been the company whose sole purpose is keeping people’s information and data secure and private, like GoTo?

There’s a pattern here, and it’s pretty simple really: LastPass is really bad at offering the core services they promote to its customers. Seriously, this isn’t a one-time incident. Look at some of the stories we covered in the past two years:

Yea, certainly is not a good look.

Next steps for LastPass customers

lastpass premium
Image: KnowTechie

So what should LastPass customers do in the meantime? My first suggestion? Cancel whatever subscription you have with LastPass. They’re clearly not in a position to handle your data.

Second, change all of your passwords. Every single one of them. And lastly, look for a new password management system that doesn’t bleed out sensitive data.

And if you plan to cancel LastPass and need a new option, we recently published this updated piece of the best free password managers.

If you were to ask me, I’m bringing my business to NordPass from the folks at NordVPN, just because I know they haven’t suffered three data breaches in the past year.

And if you decide to stay with LastPass, at the very least, GoTo is putting some extra security systems in place.

For example, resetting affected users’ passwords and migrating accounts to a more advanced Identity Management Platform with enhanced security features.

Now, excuse me while I go cancel my LastPass subscription.

Are you a LastPass customer? Have any thoughts on this? Drop us a line below in the comments, or carry the discussion over to our Twitter or Facebook.

Editors’ Recommendations:

Just a heads up, if you buy something through our links, we may get a small share of the sale. It’s one of the ways we keep the lights on here. Click here for more.


Source link