If you were planning on storing your precious codes in LastPass, the freemium password manager, my personal advice to you would be: maybe think again on that one. And if you do use it, maybe consider an alternative.
Why? Well, the password manager just got hacked. Again. That makes twice six months. Not great for a company that’s supposed to keep your digital keys secure!
In a blog post published Wednesday, LastPass admitted that, during a recent incident, a hacker was able to access “certain elements” of “customers’ information.” What kind of information? Unclear. Not very helpful!
LastPass claims that no customers’ passwords were impacted by the incident: “Our customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture.” However, the company also implied that it’s not totally sure what customer information was viewed (and presumably stolen) by the hacker. “We are working diligently to understand the scope of the incident and identify what specific information has been accessed,” wrote LastPass chief executive Karim Toubba, in the blog.
“In keeping with our commitment to transparency, I wanted to inform you of a security incident that our team is currently investigating,” Toubba wrote. “We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo. We immediately launched an investigation, engaged Mandiant, a leading security firm, and alerted law enforcement.”
This most recent incident is actually the result of a previous LastPass security incident that took place in August. During that episode, LastPass officials “detected some unusual activity within portions of the LastPass development environment.” At the time, the company said that there was “no evidence” that the incident had exposed any “customer data or encrypted password vaults.” However, it appears that whoever was responsible for that incident managed to hack back into LastPass and got ahold of some customer data—though, again, we’re not sure what kind.
“We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information,” Toubba says. Gizmodo reached out to LastPass for more details and will update this story if they respond.
Of course, this isn’t the first time that LastPass has had security problems. It’s part of a longstanding pattern. The company seems to suffer through some sort of cyber faux pas year or two. From a mysterious security issue back in 2011 to a hacking episode in 2015 to vulnerabilities discovered in 2016, 2017, and 2019, LastPass has had its share of problems. This recent episode adds to its beleaguered history. Nobody’s saying security is easy, but you’d hope that a company whose entire business is keeping your passwords secure could handle it better.