LastPass hacked: Should you be worried about your passwords?

(Image credit: LastPass)

Top password management platform LastPass has been compromised, the company has confirmed.

The firm sent an email notification to its users explaining what had happened, and reassured that despite the attack, their passwords, as well as other sensitive data, is safe.

The email, signed by the company CEO, Karim Toubba, said a LastPass developer had their accounts compromised, which led to the threat actor gaining access to “portions of the LastPass development environment," and that, “our products and services are operating normally."

Unusual activity

Toubba did not detail how the developer lost their account, whether they were a victim of a phishing attack, or ended up running malware on one of company endpoints. 

After first spotting “unusual activity” the company set off to investigate and found “no evidence that this incident involved any access to customer data or encrypted password vaults.” Still, LastPass deployed both containment and mitigation measures and brought in a “leading cybersecurity and forensics firm” to further investigate what happened. 

“While our investigation is ongoing, we have achieved a state of containment, implemented additional enhanced security measures, and see no further evidence of unauthorized activity,” the announcement reads. “Based on what we have learned and implemented, we are evaluating further mitigation techniques to strengthen our environment.” 

Master passwords, vault data, as well as personal information, are all safe, LastPass reiterated, adding that there’s no need for users to do anything, or change anything, at this time. 

LastPass is one of the world’s most popular password managers, which reported more than 25 million users worldwide two years ago. 

Password managers are tools that help users create strong passwords, and store them securely. They also allow users to keep their passwords updated regularly and are recommended by cybersecurity experts everywhere as a great way to keep all passwords unique, secure, and constantly fresh, both for business passwords and at home. 

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.