You probably know that you should have a unique, secure password for every site you visit (unless you’re already living in the post-password world of passkeys). You also probably know that there’s no way you’re going to remember all of those unique passwords, which is why we have password managers like 1Password, LastPass, Dashlane, Bitwarden, or the built-in solutions for Google Chrome, Firefox, and other browsers.

Unfortunately while cloud-based solutions make life easier by ensuring that you have access to your passwords across a range of devices, cloud-based password management services are a tempting target for hackers… and one of the world’s most popular password managers has just announced that hackers have stolen a massive archive of customer data.

LastPass says that an unauthorized party accessed its servers in August (we already knew that). At the time LastPass says “no customer data was accessed,” but the hacker did get some source code and other information… and those were used in a later attack that allowed the hacker to gain access to “some storage volumes within the cloud-based storage service.”

In a nutshell, a hacker made off with “a backup of customer vault data.” The good news is that the most sensitive data (your passwords) are encrypted and LastPass doesn’t even keep a copy of your master password. So if you have a unique, secure password that you use for LastPass, it should theoretically take “millions of years” for the hackers to use a brute force attack to break into your vault.

The bad news is that new techniques for brute force attacks are appearing all the time, folks who may have had not-as-secure-as-they-should-be passwords might be less safe, and LastPass has a habit of minimizing the damage done in security incidents like this. So I wouldn’t blame LastPass users for being a little bit panicked at the moment.

Fortunately there are some steps you can probably take to minimize your vulnerability moving forward:

  • If you’re not already using multi-factor authentication with your LastPass account, turn it on now.
  • Changing your LastPass master password probably won’t help protect you from the current breach – hackers have a backup of your data that can be unlocked with your current (or old) password. But if you don’t have a unique 12-digit or longer password yet, you should probably choose one now to help protect yourself from future attacks.
  • What you may want to do is change some or all of the passwords for third-party sites and services that are stored in your LastPass account. At a minimum, I’d recommend changing your passwords for bank accounts, online stores, or any other sites that have your financial data including bank account numbers, credit card numbers, or other information that could be used to drain your bank accounts or rack up credit card debt.
  • Fortunately LastPass has an Auto Change Password feature that may speed up the process. For sites that don’t support automatic password changes, you can follow the instructions for changing your passwords manually.
  • You may be thinking now is a good time to stop using LastPass altogether and switch to another password management system. Just keep in mind that even if you do that, you may want to change some of your existing passwords before migrating, as simply cancelling your LastPass account won’t protect you from a hacker who may be able to brute force their way into your backup if it still contains your current passwords.

Here’s a roundup of recent tech news from around the web, including a few stories that aren’t about LastPass.

Hackers stole a backup of LastPass’s customer vault data[LastPass]

This includes both encrypted data such as usernames, passwords, and secure notes, and unencrypted data like website URLs.

The breach has been widely covered by tech news sites in the pat 24 hours. Here are some other articles that may provide more details, context, and advice:

Emulating an iPod Touch 1G and iPhoneOS 1.0 using QEMU [Martijn de Vos]

This emulator image runs iPhoneOS 1.0 build 3A101a, the first firmware Apple ever released for its iPod touch. The emulator runs a bootloader, kernel, and Springboard software to render the iOS home screen and other apps. The developer says “all hardware components” needed to do that are functional, but there are some features that aren’t yet supported including audio devices, the graphics processor, video encoder and decoder, and USB OTG device. So it’s still very much a work in progress. But it’s still a very impressive feat of reverse engineering.

Custom-built #LEGO brick with a #RaspberryPi RP2040 MCU and an OLED display.https://t.co/iMzIUfsBND

— CNX Software (@cnxsoft) December 23, 2022

Keep up on the latest headlines by following @[email protected] on Mastodon. You can also follow Liliputing on Twitter and Facebook, and keep up with the latest open source mobile news by following LinuxSmartphones on Twitter and Facebook.

 

Support Liliputing

Liliputing's primary sources of revenue are advertising and affiliate links (if you click the "Shop" button at the top of the page and buy something on Amazon, for example, we'll get a small commission).

But there are several ways you can support the site directly even if you're using an ad blocker* and hate online shopping.

Contribute to our Patreon campaign

or...

Contribute via PayPal

* If you are using an ad blocker like uBlock Origin and seeing a pop-up message at the bottom of the screen, we have a guide that may help you disable it.

Join the Conversation

9 Comments

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  1. Ahem! Einstein here 🙂
    I always use a small paper notebook to keep my passwords.
    Of course I ‘am just adding “dumb” prefix and suffixes with passwords to keep safe from others in any case of lost.
    Also someone can change hint words of the websites too when writing down like,
    Amazon (Brazil Jungle)
    Twitter ([Birds], [Blue Sparrow] etc.)
    Facebook ([Friend Network], [Friends Web], [Big Blue Ad Machine] etc.)
    And then I don’t write my own email aynwhere.

  2. The Sipeed Lichee Pi 4A is now up for pre-order!

    https://sipeed.com/licheepi4

    Their SoM – T-head’s 1520 on a docking board. An excellent idea, which gives them the opportunity to promise a tablet and a smartphone to come!

    Sipeed seem to be at the vanguard of RISC-V.

    1. Sipeed is selling up to $50 off coupons, with no specific prices. If the board is $100, you could buy it with $50 PayPal and $50 in coupons. A Chinese style Kickstarter.

  3. Season’s Greetings, Brad.

    Thanks for all your hard work over the year – it is appreciated.

  4. Sucks to be LastPass. Using things like LastPass is inherently insecure for the very reasons discussed in this article. People, simple rule, memories your passwords and use long complicated passwords. 16 character minimum and use a combination of upper case, lower case, numbers and special characters. Example:
    !aBcdEfg,hjK-345098=
    The above password is not easily guessed and is million-year safe(needs more than a million years to crack) by all brute force and standard methods.

    Before anyone says that it impossible to remember, I say you’re wrong. The human mind has an exceptional memorization aspect, one just need some practice. Practice make perfect.

    1. Humans can also run marathons, but damn few do. Now, I suppose one could memorize a password system, so your passwords could be

      Amazon okM[Na]ijN{6&}uhB
      Facebook okM[Kf]ijN{8(}uhB
      Liliputing okM[gL]ijN{0_}uhB

      and so on, but remembering the 100+ logins my browser says I have? No way.

      I just keep a text file with a non-informative name and misleading extension in an obscure folder, loadable by a macro in my text editor. That also covers the dozen-plus email addresses I use on various sites.

    1. Always use local password managers. If you had KeePass nobody could have those passwords unless breaking in your house.

      For all the people, stop using online password managers. I can’t say it enough.

      1. Check the KeePass Wikipedia page for known weaknesses. People literally have to break into my house for the notebook of all my passwords.