The LastPass password manager application was hacked again in December. In August, the hackers had stolen essential information to better return in December. LastPass has hired cybersecurity firm Mandiant, but the situation appears to be more serious than advertised. In any case, how can you trust LastPass again?
First hack of the year in August
Various stolen technical information had allowed hackers to break into parts of LastPass’s infrastructure, stored in a shared cloud with parent company GoTo. They were also able to steal personal data, and while Lastpass claims that passwords remain securely encrypted (thanks to LastPass’ Zero Knowledge architecture), it appears the attack was much more serious than advertised…
Users explain their hack on Twitter
Some have suffered a massive attack and even their crypto wallet has been emptied, despite a long password, data encryption, and 2FA (double authentication). It seems that the Twitter user quoted below kept his coins on a CEX (centralized exchange). However, on LastPass, the urls of the sites are not encrypted (which inevitably attracts the attention of hackers, more than a site on gardening). If LastPass Authenticator was used to store and back up the 2FA key, then hackers were able to access the exchange. He tells his story below.
Choose a long and complex password
Password managers are managed by a master password. Once hacked, the door is open to everything else: passwords, personal documents, etc. It is therefore very important to choose this password carefully and especially not to save it online, in a cloud or in a text file. Too many people still use simple passwords (123456), as can be seen in this article, “Test your password and email address”. The master password must be at least 12 characters and must not be used on another site.
Centralization of personal data: a good idea?
Many have been using password managers without any problems for a long time. However, the centralization of personal data is a real “honeypot” which, in the future, will attract more and more hackers. The gate France Connect was itself hacked in August 2022, which led to phishing campaigns and fraud (notably carte vitale fraud). In LastPass accounts, company names, usernames, billing addresses, email addresses, phone numbers, IP addresses, and more have been stolen. LastPass cannot yet tell if the banking information was stolen as well: There is no evidence that unencrypted credit card data was accessed “. A little vague for such sensitive information. In any case, expect a phishing campaign in the coming months.
Why secure my data if I have nothing to hide?
We talk a lot about digital identity and public services that are committed to securing our personal data. There is still a lot of work to do in this direction (see the France Connect hack). Cybersecurity is a major issue, because even if you have “nothing to hide”, you certainly don’t want your bank accounts to be emptied or your identity to be used for villainous purposes (identity theft). It is therefore more essential than ever to protect your passwords, your email addresses, your online accounts and of course your crypto wallets. Do not hesitate to read the article to secure your emails and passwords and follow the excellent advice in this other article.
Information provided by LastPass on its site (more info in the English section of the LastPass site).
Few people realize how creative hackers are in using personal data. If administrations and banks try to secure contact forms, bank details and other data as well as possible, you are also responsible for your security on the Internet. Choosing strong passwords, not clicking on any link and other measures described above, ensure a minimum of security. In the case of LastPass, you are certainly not responsible, however, if your master password was weak (or used on other sites), it will be more easily hacked. Don’t wait for instructions from LastPass and secure your data immediately.
Receive a digest of news in the world of cryptocurrencies by subscribing to our new service of daily and weekly so you don’t miss any of the essential Tremplin.io!
