LastPass Was Hacked – How To Stay Protected
On June 16, users of LastPass, an extremely popular password manager, received the following notice:
New hit media channels fast with reports of this LastPass hack. And LastPass users were vocally angry about the hack. Perhaps with good reason, too. According to the notice from LastPass, sensitive user data stored as part of the service was not compromised. However, that doesn’t mean user information hasn’t been leaked. The information on users themselves, such as their email addresses and password reminders, have indeed been compromised.
As a result of the incident, LastPass is now requiring email authentication whenever a new device attempts to log into the service.
The LastPass Hacking Is More Serious Than It Seems
While LastPass may be somewhat downplaying the incident by claiming that the new security measures will eventually mean a more secure service, the fact that users’ email addresses and password reminders were compromised means this was a serious breach, which could lead to hackers accessing other stored data.
With stolen user emails in-hand, hackers could collect additional information on victims. These email addresses, for example, could be used to search for victims’ Facebook profiles and other accounts. From the victims’ social media profiles, hackers can extract a lot of background information, such as the victim’s name, date of birth, location, family members, etc. This additional information can then be used to obtain even more information through underground services.
With all of the collected information hackers could obtain, they could also figure out the user’s password. For example, if the password reminder is “Dad’s Date of Birth,” hackers could use all the collected information to figure out the password.
LastPass’s requirement of email authentication when logging in from a new device is a step in a good direction, but it’s far from offering any real security. Most people re-use passwords, making it more than likely that any uncovered passwords could result in a breach across various services used by victims. In this particular scenario, a hacker would be able to bypass all security measures and log into the site, essentially gaining access to the highly-sensitive data the user has stored on LastPass’s servers.
While this may sound like a very specific scenario, remember that we don’t know just how many emails and password reminders have been compromised. Considering LastPass is an incredibly popular service, it is possible the hackers are now sitting on a huge pile of stolen data. Hacking is often a volume business, so while most users may be fine, many others may still be at risk. Who’s to say you’re not one of them?
Considering all of the above, we recommend the following steps in order to protect your LastPass account and data:
- If your LastPass account was hacked, there’s a good chance your email was too. Start by checking if your email account has been hacked – because most hacks start within your email. You can safely do so with this free tool.
- Make sure your LastPass account password is different than the password you use for other online services, including your email account.
- Restrict access to the account only to your country. To do so, log into your LastPass account and click Account Settings > Show Advance Settings > Only allow login from selected countries.
- Make sure access from the anonymous network TOR is disabled. To do this, log into your LastPass account and click Account Settings > Show Advanced Settings > Disallow settings from Tor networks. Note: This should be already checked, so just make sure that it is.
- Activate LastPass’s two-factor authentication service, which will require that you provide a one-time code (which will be sent to your mobile device) every time you log into the service. While this may be an annoyance, it does provide a much better security measure than the email authentication LastPass has employed. You can set up two-factor authentication by logging into your LastPass account and clicking on the Multifactor Option tab, and then choosing a service from the list (Google Authenticator is the most common one).
Protect Your Online Accounts and Personal Information
Perhaps now more than ever, it’s crucial to take a hands-on approach regarding your privacy and the security of your personal data and online accounts (Gmail, Facebook, Dropbox, etc.). Fortunately, you can use LogDog, the free anti-hacking tool, to protect your most popular accounts.
The service can be used across all devices and OS’s, so you’re always being protected. Here’s the Android and iOS links for you to check out.