Keeping track of all your passwords is difficult, especially when you have to constantly choose complex and varied passwords to maintain some semblance of security online. LastPass was founded in 2008 to make things easier, but it’s developing an unfortunate reputation. The company announced that it recently suffered a security breach, its second in six months. And if you look further back, this only happens at LastPass.
According to the latest LastPass blog post, its security team recently detected unusual activity on a cloud storage account it shares with its partner brand GoTo. After investigating, the team confirmed that unknown attackers used data acquired during the previous August 2022 breach to gain access to the system. At the time, LastPass claimed there was no evidence the breach included access to user data, but now they have.
LastPass said it alerted law enforcement and continues to work to fully understand the scope of the latest intrusion. That’s a bit of a sticking point, though. Although LastPass said cybercriminals accessed “certain elements” of customer information, it did not provide any specifics beyond one admittedly key point: customer passwords. LastPass encrypts all user passwords and has no way to decrypt them. So even if attackers manage to copy user account data, it is unlikely that they will be able to access it.
LastPass has an extensive history of security flaws for a small company that has only been around since 2008. In 2011, attackers stole user data from LastPass, forcing users to change their master passwords. This happened again in 2015, when LastPass started using strong encryption. In 2016, 2017 and 2019, there were serious vulnerabilities reported by security researchers, all of which were patched. Just last year, users had to change their master passwords after malicious login attempts that the company blamed on credential stuffing. However, victims claimed that their LastPass credentials were unique. We never got around to it, but here we are in 2022 with a pair of LastPass violations.
Passwords are an imperfect way to protect accounts. You either choose strong passwords that require a third party to manage, or you keep passwords simple In either case, you can get hacked. No wonder Microsoft, Google and others are trying to kill the password.