Skip to main content

Hackers just stole LastPass data, but your passwords are safe

The developers behind password management software LastPass have just shared some concerning news: Bad actors were recently able to access “elements of our customers’ information” in a recent security breach.

It’s the second time in just a couple of months that LastPass has suffered a security incident, and it appears the two events are directly linked. That’s because LastPass’s developers say that the unauthorized party was able to access customer data “using information obtained in the August 2022 incident.”

A physical lock placed on a keyboard to represent a locked keyboard.
piranka / Getty Images

For those unfamiliar with that episode, hackers managed to access and steal parts of LastPass’s source code. While the company said no customer data was stolen at the time, it appears the source code allowed the hackers access to private information this time around.

Indeed, the company was alerted to the breach when it detected “unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo.”

Your passwords are safe

A dark mystery hand typing on a laptop computer at night.
Andrew Brookes / Getty Images

Fortunately, there is some good news: customer passwords appear to be safe and remain fully encrypted. That’s thanks to LastPass’s Zero Knowledge structure, which basically means that only you have access to your master password and any data stored inside your vault — not even LastPass’s developers can access it. With that kind of firewalling in place, the hackers were unable to steal any passwords or vital account data.

Still, it’s a worrying development for both LastPass and its users. People store incredibly sensitive information in password managers, and not just the keys to their digital accounts. LastPass can also be used to safely stow credit card information, private notes, and other data that should be kept locked away from prying eyes.

In the meantime, LastPass has been working with security firm Mandiant to work out exactly what happened in this latest security breach. Law enforcement agencies have also been notified, and no doubt will be carrying out their own investigation.

LastPass has reassured users that its “products and services remain fully functional,” and has recommended customers should follow its best practices for setting up and configuring their accounts using the instructions on the LastPass website. The company has promised to post more updates “as we learn more.”

Editors' Recommendations

Alex Blake
In ancient times, people like Alex would have been shunned for their nerdy ways and strange opinions on cheese. Today, he…
LastPass reveals how it got hacked — and it’s not good news
A depiction of a hacker breaking into a system via the use of code.

Last year was a particularly bad one for password manager LastPass, as a series of hacking incidents revealed some serious weaknesses in its supposedly rock-solid security. Now, we know exactly how those attacks went down -- and the facts are pretty breathtaking.

It all began in August 2022, when LastPass revealed that a threat actor had stolen the app’s source code. In a second, subsequent attack, the hacker combined this data with information found in a separate data breach, then exploited a weakness in a remote-access app used by LastPass employees. That allowed them to install a keylogger onto the computer of a senior engineer at the company.

Read more
This major Apple bug could let hackers steal your photos and wipe your device
A physical lock placed on a keyboard to represent a locked keyboard.

Apple’s macOS and iOS are often considered to be more secure than their rivals, but that doesn’t make them invulnerable. One security team recently proved that by showing how hackers could exploit Apple’s systems to access your messages, location data, and photos -- and even wipe your device entirely.

The discoveries were published on the blog of security research firm Trellix, and will be of major concern to iOS and macOS users alike, since the vulnerabilities can be exploited on both operating systems. Trellix explains that Apple patched the exploits in macOS 13.2 and iOS 16.3, which were released in January 2023, so you should update your devices as soon as you can.

Read more
Hackers dug deep in the massive LastPass security breach
The LastPass logo appears in front of a menacing hooded figure.

The cybersecurity breach that LastPass owner GoTo reported in November 2022 keeps getting worse as new details are revealed, calling into question the company's transparency on this serious issue.

It has been two months since GoTo shared the alarming news that hackers stole the usernames, passwords, email addresses, phone numbers, IP addresses, and even billing information of LastPass users. In GoTo's latest blog update, the company reported that several of its other products were compromised as well.

Read more