Similarly, changing your password now doesn’t undo the data breach. The hackers have already stolen the password vault data, they don’t need to bother logging into anyone’s LastPass account. Hmm, well… 2FA is irrelevant in this case. And I have two-factor authentication (2FA) enabled on my LastPass account. Well, I have a strong, hard-to-guess, unique password. The hackers need to determine what your LastPass master password is, to access the crown jewels – the usernames and passwords to all your online accounts. This sound terrible…īecause the hackers also stole encrypted customer data including: That’s valuable information for anyone attempting to phish further information from you, as they could easily pose as one of the websites you access and send you a scam email.įurthermore, simply knowing which websites you access (and store in your password manager) might reveal private information about you that you would have rather remain confidential.Īnd further still, it’s possible you stored password reset links for these websites in your password manager that might not have expired, or other sensitive information or tokens in your website URLs that you wouldn’t want to fall into the wrong hands.
#LOGIN TO LAST PASS HOW TO#
In other words, cybercriminals now know that you use LastPass, they know how to contact you, and they know which websites you use. IP addresses which customers used to access LastPass.The stolen data includes the following unencrypted data: LastPass hasn’t said when it believes the theft of the password vaults occurred, but the most important thing to you is probably what the stolen data contained, and how it could be exploited by hackers. So let me get this straight – the theft of the password vaults and other data from LastPass may well have occurred in August or September… long before they announced it as I was distracted wrapping Christmas presents? And sure enough, just before Christmas, LastPass confirmed that the information stolen from a developer’s account in the August 2022 attack was actually “used to target another employee, obtaining credentials and keys which were used to access and decrypt some storage volumes…” Part of LastPass blog post, December 22 2022. Well, LastPass might have not seen any evidence that customers’ passwords vaults had been accessed then, but… But when a company says it has “seen no evidence” of anything bad happening, that’s not necessarily the same as saying “nothing bad happened”?Ĭorrect.
#LOGIN TO LAST PASS CODE#
You’re probably thinking of the original announcement LastPass made back on August 25 2022, where it said that a hacker had managed to gain access to a developer’s account, and stolen some of its source code from a development environment.īack then LastPass said that it had “seen no evidence that this incident involved any access to customer data or encrypted password vaults.” So they were wrong when they said that? But wasn’t there news of a LastPass hack earlier in the year? Just days before Christmas, when most people probably weren’t paying too much attention, password management service LastPass revealed that hackers had accessed customers’ password vaults.
0 kommentar(er)
