Skip to main content

Hackers just stole LastPass data, but your passwords are safe

The developers behind password management software LastPass have just shared some concerning news: Bad actors were recently able to access “elements of our customers’ information” in a recent security breach.

It’s the second time in just a couple of months that LastPass has suffered a security incident, and it appears the two events are directly linked. That’s because LastPass’s developers say that the unauthorized party was able to access customer data “using information obtained in the August 2022 incident.”

A physical lock placed on a keyboard to represent a locked keyboard.
piranka / Getty Images

For those unfamiliar with that episode, hackers managed to access and steal parts of LastPass’s source code. While the company said no customer data was stolen at the time, it appears the source code allowed the hackers access to private information this time around.

Recommended Videos

Indeed, the company was alerted to the breach when it detected “unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo.”

Please enable Javascript to view this content

Your passwords are safe

A dark mystery hand typing on a laptop computer at night.
Andrew Brookes / Getty Images

Fortunately, there is some good news: customer passwords appear to be safe and remain fully encrypted. That’s thanks to LastPass’s Zero Knowledge structure, which basically means that only you have access to your master password and any data stored inside your vault — not even LastPass’s developers can access it. With that kind of firewalling in place, the hackers were unable to steal any passwords or vital account data.

Still, it’s a worrying development for both LastPass and its users. People store incredibly sensitive information in password managers, and not just the keys to their digital accounts. LastPass can also be used to safely stow credit card information, private notes, and other data that should be kept locked away from prying eyes.

In the meantime, LastPass has been working with security firm Mandiant to work out exactly what happened in this latest security breach. Law enforcement agencies have also been notified, and no doubt will be carrying out their own investigation.

LastPass has reassured users that its “products and services remain fully functional,” and has recommended customers should follow its best practices for setting up and configuring their accounts using the instructions on the LastPass website. The company has promised to post more updates “as we learn more.”

Alex Blake
Alex Blake has been working with Digital Trends since 2019, where he spends most of his time writing about Mac computers…
Hackers may have stolen the master key to another password manager
Open padlock cybersecurity

The best password managers are meant to keep all your logins and credit card info safe and secure, but a major new vulnerability has just put users of the KeePass password manager at serious risk of being breached.

In fact, the exploit allows an attacker to steal a KeePass user’s master password in plain text -- in other words, in an unencrypted form -- simply by extracting it from the target computer’s memory. It’s a remarkably simple hack, yet one that could have worrying implications.

Read more
Hackers are using a devious new trick to infect your devices
A person using a laptop with a set of code seen on the display.

Hackers have long used lookalike domain names to trick people into visiting malicious websites, but now the threat posed by this tactic could be about to ramp up significantly. That’s because two new domain name extensions have been approved which could lead to an epidemic of phishing attempts.

The two new top-level domains (TLDs) that are causing such consternation are the .zip and .mov extensions. They’ve just been introduced by Google alongside the .dad, .esq, .prof, .phd, .nexus, .foo names.

Read more
This Bing flaw let hackers change search results and steal your files
The new Bing preview screen appears on a Surface Laptop Studio.

A security researcher was recently able to change the top results in Microsoft’s Bing search engine and access any user’s private files, potentially putting millions of users at risk -- and all it took was logging into an unsecured web page.

The exploit was discovered by researcher Hillai Ben-Sasson at their team at Wiz, a cloud security firm. According to Ben-Sasson, it would not only allow an attacker to change Bing search results but would also grant them access to millions of users’ private files and data.

Read more