Online password managers can make your life much easier by automatically entering individual passwords for each website and service you have an account for. It’s a convenient tool. That is, unless it’s hacked. In this case, by discrediting a single password cyber criminals can receive access to valuable information — even to your banking credentials.
LastPass, a popular password manager, has recently disclosed a network breach. Attackers compromised user email addresses, password reminders, per-user salts and authentication hashes. The passwords themselves are not compromised, as the service doesn’t store them in its cloud. Nevertheless, LastPass recommends users to change their LastPass master passwords and enable multi-factor authentication.
Let’s give credits to the company: when LastPass found the breach, it quickly came out with a public warning. For hackers benefits, many huge companies try keeping breaches in secret, but not in this case.
At the same time, potential consequences of the breach seem to be dubious. CEO and founder of LastPass Joe Siegrist claims that the incident will not influence “the vast majority of users”. Some researchers support this position, declaring that there is no risk for users with strong passwords.
We've updated the blog with follow-up information to user questions about yesterday's announcement: https://t.co/DaW6LiIp7M
— LastPass (@LastPass) June 16, 2015
Other researchers consider that the breach can lead to a new wave of malicious activity aimed directly at LastPass users. Armed with a list of email addresses, hackers could create a targeted phishing campaign to defraud users.
What stops cyber-criminals from spamming LastPass users with fraudulent letters, disguised as official ones? People will have heard about the breach and then receive an email from a hacker, asking them to reset their master password. Bingo: they’re in.
#LastPass users have to urgently change their #passwordsTweet
Here’s a list of recommendations for all those affected:
- Follow official recommendations: change your master password and enable multi-factor authentication. Also, if you can, enable 2-factor authentication on other websites as well.
- Do not to click links in e-mail letters which claim they are from LastPass. These letters can be fake, that’s why it’s better to enter the url manually in your browser’s address bar.
- Be sure that you don’t use your master password on any other web-site. It’s always good to use different passwords for different services, by the way.
This is not the first time time when LastPass has to deal with security issues. Last summer the University of California Berkeley revealed security flaws in five security managers, including LastPass. The other four were RoboForm, My1Login, PasswordBox and NeedMyPassword.
Data breaches have become a routine. You can’t prevent it, but there is a way to minimize the damage. http://t.co/Gq4ERG41NK
— Kaspersky Lab (@kaspersky) August 6, 2014
There is no perfect security solution. Companies need to have the courage to take responsibility and reveal the breach incident, despite the risk of losing customers. Some of LastPass users will want to switch to other services, while others will be loyal no matter what happens.
If you are considering the new password manager, make sure you check out — Kaspersky Password Manager.
You can go even further and install Kaspersky Total Security — Multi-Device. It has built-in password manager as well as all the security features you need to protect your devices and your data from any existing malware.