Password manager with 25MILLION users breached in mysterious cyber attack

ONE of the world’s most popular password managers has been hacked by cyber crooks.

LastPass, which has 25million users, confirmed the breach on Monday, although user data was apparently not affected.

That means the millions of passwords stored on the service were not accessed by the attackers, according to the company.

Instead, source code and “proprietary technical information” was pinched in the breach, LastPass CEO Karim Toubba said.

That’s not great news for the company itself and could open it up to further cyber attacks in future.

I’m a primary school teacher…the things I can’t stand kids bringing to school

I doubled my annual income thanks to my side hustle and made £99k in a year

However, it means that its users’ passwords are safe for now.

That’s thanks to the fact that users’ master passwords are never stored on the company’s servers.

Those are the credentials that people use to access their LastPass accounts.

“LastPass can never know or gain access to our customers’ master password,” Toubba said.

Most read in Tech

“This incident did not compromise your master password.”

As such, LastPass says that no action is required by users in regard to their password vaults.

LastPass said that it has assigned a leading cybersecurity and forensics firm to investigate the matter.

It added that there is no evidence of further malicious activity.

Password managers have rocketed in popularity in recent years, with Apple, Google and other tech giants all operating their own versions.

They make it easy to use unique strong passwords across multiple accounts, which is a key first step to staying secure online.

However, their rising popularity has made the services a big target for hackers.

Breaking into a password manager’s servers could theoretically give attackers access to every password to your accounts.

Experts advised LastPass users to activate multi-factor authentication (MFA) settings to ensure that their accounts are safe.

That adds an extra layer of security by requiring you to type in, for example, a code sent by text or email whenever you log in to your account.

Tom Davison, a mobile security expert at cyber firm Lookout, told InformationSecurityBuzz: “It does not appear that user data or password vaults have been compromised in this case, however source code was confirmed stolen and attackers will be looking hard for potential weaknesses to exploit.

“LastPass users should stay vigilant, follow the news and watch for any unusual activity or login notifications across their accounts.

“It is really important to configure all of the available MFA settings provided by LastPass, including the use of an authenticator app to secure logins.

“For most users, additional MFA confirmations will be done via a mobile device – it is vital that this is secured too.”