Skip to main content

Hackers just stole LastPass data, but your passwords are safe

The developers behind password management software LastPass have just shared some concerning news: Bad actors were recently able to access “elements of our customers’ information” in a recent security breach.

It’s the second time in just a couple of months that LastPass has suffered a security incident, and it appears the two events are directly linked. That’s because LastPass’s developers say that the unauthorized party was able to access customer data “using information obtained in the August 2022 incident.”

A physical lock placed on a keyboard to represent a locked keyboard.
piranka / Getty Images

For those unfamiliar with that episode, hackers managed to access and steal parts of LastPass’s source code. While the company said no customer data was stolen at the time, it appears the source code allowed the hackers access to private information this time around.

Indeed, the company was alerted to the breach when it detected “unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo.”

Your passwords are safe

A dark mystery hand typing on a laptop computer at night.
Andrew Brookes / Getty Images

Fortunately, there is some good news: customer passwords appear to be safe and remain fully encrypted. That’s thanks to LastPass’s Zero Knowledge structure, which basically means that only you have access to your master password and any data stored inside your vault — not even LastPass’s developers can access it. With that kind of firewalling in place, the hackers were unable to steal any passwords or vital account data.

Still, it’s a worrying development for both LastPass and its users. People store incredibly sensitive information in password managers, and not just the keys to their digital accounts. LastPass can also be used to safely stow credit card information, private notes, and other data that should be kept locked away from prying eyes.

In the meantime, LastPass has been working with security firm Mandiant to work out exactly what happened in this latest security breach. Law enforcement agencies have also been notified, and no doubt will be carrying out their own investigation.

LastPass has reassured users that its “products and services remain fully functional,” and has recommended customers should follow its best practices for setting up and configuring their accounts using the instructions on the LastPass website. The company has promised to post more updates “as we learn more.”

Editors' Recommendations

Alex Blake
In ancient times, people like Alex would have been shunned for their nerdy ways and strange opinions on cheese. Today, he…
Hackers are using a devious new trick to infect your devices
A person using a laptop with a set of code seen on the display.

Hackers have long used lookalike domain names to trick people into visiting malicious websites, but now the threat posed by this tactic could be about to ramp up significantly. That’s because two new domain name extensions have been approved which could lead to an epidemic of phishing attempts.

The two new top-level domains (TLDs) that are causing such consternation are the .zip and .mov extensions. They’ve just been introduced by Google alongside the .dad, .esq, .prof, .phd, .nexus, .foo names.

Read more
This Bing flaw let hackers change search results and steal your files
The new Bing preview screen appears on a Surface Laptop Studio.

A security researcher was recently able to change the top results in Microsoft’s Bing search engine and access any user’s private files, potentially putting millions of users at risk -- and all it took was logging into an unsecured web page.

The exploit was discovered by researcher Hillai Ben-Sasson at their team at Wiz, a cloud security firm. According to Ben-Sasson, it would not only allow an attacker to change Bing search results but would also grant them access to millions of users’ private files and data.

Read more
NordPass adds passkey support to banish your weak passwords
password manager lifestyle image

Weak passwords can put your online accounts at risk, but password manager NordPass thinks it has the solution. The app has just added support for passkeys, giving you a far more secure way to keep all your important logins safe and sound.

Instead of a vulnerable password, passkeys work by using your biometric data as your login ‘fingerprint.’ For example, you could use the Touch ID button on a Mac or a facial recognition scanner on your smartphone to log in to your account. No typing required.

Read more