An online password manager can make your life much easier by automatically entering individual passwords for each website and service you visit. It is a very convenient tool – unless it is hacked. In that instance, by discrediting a single password, cyber criminals can receive access to invaluable information, including banking credentials.
LastPass, a popular password manager, has recently disclosed a network breach. Attackers compromised user email addresses, password reminders, per-user salts and authentication hashes. The passwords themselves were not compromised, as the service doesn’t store them in its cloud. Nevertheless, LastPass recommends users change their LastPass master passwords and enable multi-factor authentication.
Let’s give credit to the company: When LastPass found the breach, it quickly released a public warning. To the hackers’ benefit, many large companies try keeping breaches a secret, but not here.
Still, potential consequences of the breach seem to be dubious. CEO and founder of LastPass Joe Siegrist claims that the incident will not influence “the vast majority of users”. Some researchers support this position, declaring there is no risk for users with strong passwords.
We've updated the blog with follow-up information to user questions about yesterday's announcement: https://t.co/DaW6LiIp7M
— LastPass (@LastPass) June 16, 2015
Other researchers consider that the breach can lead to a new wave of malicious activity aimed directly at LastPass users. Being armed with the list of real email addresses hackers can create a targeted phishing campaign to defraud the lacking data. For example, LastPass is advising users to change their master passwords.
What stops cybercriminals from spamming LastPass users with fraudulent letters, disguised as official ones? When people receive an unsuspicious email with warnings and recommendations from the “developers”, they can readily follow a link to change their master password — and give it right to the cyber criminals’ hands.
#LastPass users need to change their #passwords immediatelyTweet
Here is what we can recommend to LastPass users:
- Follow official recommendations: Change your master password and enable multi-factor authentication. It would be absolutely great if you could enable it on other websites as well, e.g. on social networks and emails.
- Do not to click links in e-mail letters which claim they are from LastPass. These letters can be fake, that’s why it’s better to enter the url manually in your browser’s address bar.
- Be sure that you don’t use your master password on any other website. It’s always good to use different passwords for different services.
This is not the first time LastPass has had to deal with security issues. Last summer the University of California Berkeley revealed security flaws in five security managers, including LastPass. The other four were RoboForm, My1Login, PasswordBox and NeedMyPassword.
Data breaches have become a routine. You can’t prevent it, but there is a way to minimize the damage. http://t.co/Gq4ERG41NK
— Kaspersky Lab (@kaspersky) August 6, 2014
As you may know, there is no perfect security solution. A company needs courage to take responsibility and reveal breaching incidents despite the risk of losing clients. Some LastPass users will want to switch to other services, while others will be loyal no matter what happens.
If you are considering the new password manager, we can’t help but recommend the one we are sure of — Kaspersky Password Manager. We don’t store users’ passwords, so this data is impossible to steal from Kaspersky servers – it’s simply not there.
You can go even further and install Kaspersky Total Security — Multi-Device. It has built-in password manager as well as all the security features you need to protect your devices and your data from any existing malware.