LastPass, the popular and free password manager, has been hacked again. The CEO says no passwords were stolen in the breach.
It’s not the first time LastPass has been targeted by hackers. In August of this year, the company was already penetrated once. In addition, the hackers gained access to the developer environment that is hidden behind the password manager. The strangers could poke around there for four days before the security leak was discovered.
This time, the hackers used what they learned in August to efficiently hack LastPass. The hackers allegedly gained access to the cloud storage that LastPass uses, but which is provided by another company that has not been named. According to LastPass CEO Karim Toubba, the intruders would have gained access to “certain information” from their customer base. The company cannot yet say anything about what information that is exactly. They are currently investigating exactly how big the security leak was and what data has been released.
No passwords leaked
The CEO does emphasize that no passwords were stolen during the hack. A ‘zero knowledge’ architecture ensures that all passwords are encrypted and that LastPass cannot decipher them itself. All keys for decryption are located on the user’s device and not on the server. At Lastpass itself, they cannot simply see what your password is. Any hackers who make off with encrypted passwords will also not be able to decipher them.
LastPass is used by approximately 30 million people. These people should not change their passwords for the time being, since that information has not been leaked. The password manager itself says that it is enough to do nothing. You can also continue to use the service: everything remains operational.