Email addresses, password reminders and passwords themselves were compromised in the hack

LastPass, a cybersecurity and password firm that aims to help people keep their logins safe, has been hacked and had users’ data compromised.

The service is one of many that aim to help people keep passwords safe by keeping them all in one place — users remember one master password, and software generates safe, unique ones for each website a person visits.

But hackers have broken into the company’s network and stolen those master passwords and other login details, potentially exposing all of the data that has been stored with passwords generated from the service. The passwords that have been stolen are hashed, meaning that they are encrypted and the hackers will have to break that encryption to actually read them.

The company says that it is “confident” that the encryption measures it uses “are sufficient to protect the vast majority of users”, in a blog post announcing the breach. As such, the company doesn’t recommend changing the passwords on the accounts used with LastPass, but does recommend changing passwords on the service.

Users will be sent emails telling them about the breach and will be prompted to reset the master password. The service also encourages resetting the password on any site where the master password had been used.

Password managers like LastPass advertise themselves on being much safer than alternatives. Rather than people needing to remember individual passwords — and therefore choosing easy to guess ones, like 123456, or write them in obvious places — they can just remember one and the manager will generate much more secure ones for other sites.

But it does mean trusting one site to store password information for all logins on the internet. LastPass encrypts all of the information it stores to ensure that it is kept secure.

Comments