Keeping track of all your passwords is difficult, particularly when you need to constantly choose complex and varied passwords to maintain some semblance of security online. LastPass was founded in 2008 to make things easier, but it is developing an unfortunate reputation. The company has announced it was the victim of a security breach recently, making it the second one in six months. And if you look further back, this just keeps happening to LastPass.
According to the latest LastPass blog post, its security team recently detected unusual activity in a cloud storage account it shares with its partner brand GoTo. After investigating, the team confirmed that the unknown attackers used data acquired during the previous August 2022 breach to gain access to the system. At the time, LastPass claimed there was no evidence that the breach included access to user data, but now they have.
LastPass says it has alerted law enforcement and has continued working to fully understand the scope of the latest infiltration. That’s a bit of a sticking point, though. While LastPass says the cyber criminals gained access to “certain elements” of customer information, it has not provided any specifics beyond one admittedly important point: customer passwords. LastPass encrypts all user passwords and does not have the means to decrypt them. So even if the attackers did manage to copy user account data, it is unlikely they would be able to access it.
The history of LastPass security flaws is extensive for a small company that has only been around since 2008. In 2011, attackers stole user data from LastPass, forcing users to change their master passwords. It happened again in 2015, which is when LastPass started using stronger encryption. In 2016, 2017, and 2019, there were serious vulnerabilities reported by security researchers, all of which were patched. Just last year, users had to change their master passwords following malicious login attempts that the company blamed on credential stuffing. However, affected individuals claimed their LastPass credentials were unique. We never got closure on that one, but here we are in 2022 with a pair of LastPass breaches.
Passwords are an imperfect way to secure accounts. You either choose strong passwords that require a third party to manage, or you keep the passwords simple. In either case, you could end up getting hacked. It’s no wonder Microsoft, Google, and others are trying to kill the password.