Hacked LastPass, free password manager available on desktop and mobile devices. All the details
LastPass, an app to protect passwords, is under attack. The company has confirmed an extensive operation to access the data of the registered accesses. According to initial surveys, dozens of users have received email alerts of an attempt to access unauthorized accounts, promptly blocked. To link the activities, a series of Brazilian internet addresses, from which the operations would have started, reports Ansa. However, LastPass says there is no evidence of a data breach following reports from informed users of unauthorized login attempts, as reported by AppleInsider. In the last few hours, LastPass has reassured subscribers to the service, stating that no data has been stolen. All the details. WHAT LASTPASS DOES The application is used as a safe to protect the passwords of each user, using a single master key, called "master password". TARGET OF HACKERS "And this is exactly what hackers are aiming for, through the" credential filling "technique, which uses automated software capable, in a few seconds, of trying millions of combinations between username and secret keys, hoping to reach the correct mix to access profiles. Names and passwords come from other violations that have occurred online, of which people often do not even know they are victims ", explains Ansa. This is why experts always advise not to use the same combination for multiple sites and apps. THE COMPANY'S INSURANCE The password manager claims that it has never been compromised and that user accounts have not been accessed by attackers. "LastPass has reviewed recent reports of blocked login attempts and we believe the activity is related to a credential stuffing attempt. At the moment, we have no indication that access to the accounts has been performed correctly or that the service has been compromised by an unauthorized party ". INVESTIGATION IN PROGRESS "Our investigation found that some of these security advisories, sent to a limited subset of LastPass users, were likely activated by mistake," reads a company statement released to The Verge. "As a result, we have adapted our safety alert systems and this problem has been solved since then." These alerts were triggered due to LastPass's ongoing efforts to defend its customers from malicious and credential stuffing attempts, ”the company added. THE SECURITY MODEL ADOPTED Additionally, LastPass reiterated that "LastPass's zero-knowledge security model means that at no time does LastPass memorize, know or have access to users' master passwords." Therefore, the company says it will continue to "regularly monitor unusual or harmful activities". “If necessary, we will continue to take steps to ensure that LastPass, its users and their data remain safe and secure,” concludes LastPass. THE RECOMMENDATIONS OF THE EXPERTS Meanwhile, reports are increasing both on the Hacker News forum and with various posts on Twitter. "While LastPass hasn't been hacked, it's still a good idea to bolster your account with multi-factor authentication, which uses external sources to verify your identity before logging into your account," recommends The Verge.