A POPULAR password-managing app has published new details about a huge data breach.
LastPass revealed the new concerning details on it blog and is now being slammed by security experts.
1
A report by Vice even warned the outlet’s readers to ditch the app and try a new password manager.
The new LastPass blog reveals details about a “second incident” that happened during a large breach last year.
It states: “Our investigation has revealed that the threat actor pivoted from the first incident, which ended on August 12, 2022, but was actively engaged in a new series of reconnaissance, enumeration, and exfiltration activities aligned to the cloud storage environment spanning from August 12, 2022 to October 26, 2022.”
It details how a hacker accessed the home computer of one of the four engineers who had access to a cloud vault of private customer information.
The criminal stole important access keys.
These keys are needed to access “LastPass production backups, other cloud-based storage resources, and some related critical database backups”, according to the blog.
Late last year, LastPass CEO Karim Toubba admitted that cybercriminals took “vast reams of customer data, including names, email addresses, phone numbers, and some billing information” as part of the overall breach.
LastPass recommended to its customers that the best thing they can do right now is to change their master password.
Most read in News Tech
Doing this should mean that your current LastPass vault would now be secured.
The company noted that it would be wise to change all of the passwords in your vault, especially those with personal and vital information like bank accounts.
However, some people don’t think simply changing your LastPast details is good enough to protect your apps on iPhone or Android.
Twitter is full of tweets expressing concerns over people still using LastPass.
One person said: “1. Use a password manager (NOT LASTPASS, obv) they create unique passwords for your accounts so you don’t reuse the same one. Try @Bitwarden or @1Password (not version 8 though, it’s terrible).”
Another retweeted a post about the breach and added: “If you use LastPass, please don’t.”
However, some experts are sticking up for the app.
Security researcher MG tweeted: “Just to be clear: while there is plenty to criticize about the LastPass product, the transparency of what was posted today is great.
“It actually gives me some hope that I didn’t previously have. The attacks seen here could happen to any company.
“Most would have handled it much worse. LastPass has a much higher target on their backs than most companies, so hopefully they modify the product to account for that.”
We have reached out to LastPass for comment.
