Skip to main content

Hackers just stole LastPass data, but your passwords are safe

The developers behind password management software LastPass have just shared some concerning news: Bad actors were recently able to access “elements of our customers’ information” in a recent security breach.

It’s the second time in just a couple of months that LastPass has suffered a security incident, and it appears the two events are directly linked. That’s because LastPass’s developers say that the unauthorized party was able to access customer data “using information obtained in the August 2022 incident.”

A physical lock placed on a keyboard to represent a locked keyboard.
piranka/Getty Images

For those unfamiliar with that episode, hackers managed to access and steal parts of LastPass’s source code. While the company said no customer data was stolen at the time, it appears the source code allowed the hackers access to private information this time around.

Indeed, the company was alerted to the breach when it detected “unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo.”

Your passwords are safe

A dark mystery hand typing on a laptop computer at night.
Andrew Brookes/Getty Images

Fortunately, there is some good news: customer passwords appear to be safe and remain fully encrypted. That’s thanks to LastPass’s Zero Knowledge structure, which basically means that only you have access to your master password and any data stored inside your vault — not even LastPass’s developers can access it. With that kind of firewalling in place, the hackers were unable to steal any passwords or vital account data.

Still, it’s a worrying development for both LastPass and its users. People store incredibly sensitive information in password managers, and not just the keys to their digital accounts. LastPass can also be used to safely stow credit card information, private notes, and other data that should be kept locked away from prying eyes.

In the meantime, LastPass has been working with security firm Mandiant to work out exactly what happened in this latest security breach. Law enforcement agencies have also been notified, and no doubt will be carrying out their own investigation.

LastPass has reassured users that its “products and services remain fully functional,” and has recommended customers should follow its best practices for setting up and configuring their accounts using the instructions on the LastPass website. The company has promised to post more updates “as we learn more.”

Editors' Recommendations

Alex Blake
In ancient times, people like Alex would have been shunned for their nerdy ways and strange opinions on cheese. Today, he…
The best password managers for 2023
have i been pwned owner uncovers 13 million plaintext passwords leaked from free webhost is a safe password even possible we

If you're still copying and pasting passwords from a notepad, it's time to better protect your accounts online. That's where password managers come in, which give you a single master password to both simplify and secure your accounts.
But knowing which to sign up for isn't just as simple as looking down the feature list and price. Recent hacks and data leaks mean you need to be extra careful about which one you use.

1Password (Windows, Mac, iOS, Android, Linux, and Chrome OS)

Read more
Using LastPass? You need to switch urgently, says security firm
A dark mystery hand typing on a laptop computer at night.

It’s a good idea to use one of the best password managers to keep your logins safe, but now a security company is warning that one of the most popular password managers in the world is not safe to use.

The extraordinary claim comes from Intego, a firm that specializes in Mac security. Intego made its assertion based on a series of security breaches LastPass has suffered in recent months, the way LastPass has responded to those incidents, and the underlying technology LastPass uses to protect customer accounts.

Read more
Hackers may be hiding in plain sight on your favorite website
A depiction of a hacked computer sitting in an office full of PCs.

Security researchers have detailed how domain shadowing is becoming increasingly popular for cybercriminals.

As reported by Bleeping Computer, analysts from Palo Alto Networks (Unit 42) revealed how they came across over 12,000 such incidents over just a three-month period (April to June, 2022).

Read more