LastPass users have to change their passwords

Something went wrong: the web service for secure password storage LastPass asks users to change their passwords asap.


Online password managers can make your life much easier by automatically entering individual passwords for each website and service you visit. It is a very convenient tool unless it is hacked. In this case, by discrediting a single password cyber criminals can receive access to invaluable information — even to your banking credentials.

LastPass, a popular password manager, has recently disclosed a breach in their network. Attackers compromised user email addresses, password reminders, per-user salts and authentication hashes. The passwords themselves are not compromised, as the service doesn’t store them in its cloud. Nevertheless, LastPass recommends users to change their LastPass master passwords and enable multifactor authentication.

Let’s give credits to the company: when LastPass found the breach, it quickly came out with a public warning. Many large companies try keeping breaches in secret, but not in this case.

At the same time, potential consequences of the breach seem to be dubious. CEO and founder of LastPass Joe Siegrist claims that the incident will not influence “the vast majority of users”. Some researchers support this position, declaring that there is no risk for users with strong passwords.

Other researchers consider that the breach can lead to a new wave of malicious activity aimed directly at LastPass users. Being armed with the list of real email addresses hackers can create a targeted phishing campaign to defraud the lacking data. For example, LastPass is advising users to change their master passwords.

What stops cybercriminals from spamming LastPass users with fraudulent letters, disguised as official ones? When people receive an unsuspicious email with warnings and recommendations from the “developers,” they can readily follow a link to change their master password — and give it right to the cyber criminals.

Here is what we can recommend to LastPass users.

  • Follow official recommendations: change your master password and enable multi-factor authentication. It would be great if to enable it on other websites as well, e.g. on social networks and emails.
  • Do not to click links in e-mail letters which claim they are from LastPass. These letters can be fake, that’s why it’s better to enter the url manually in your browser’s address bar.
  • Be sure that you don’t use your master password on any other web-site. It’s always good to use different passwords for different services, by the way.

This is not the first time LastPass has to deal with security issues. Last summer the University of California Berkeley revealed security flaws in five security managers, including LastPass. The other four were RoboForm, My1Login, PasswordBox and NeedMyPassword.

As you may know there is no perfect security solution. A company needs courage to take responsibility and reveal a breach incident despite the risk of losing clients. Some LastPass users will want to switch to other services, while others will be loyal no matter what happens.

If you are considering the new password manager, we can’t help but recommend the one we are sure of — Kaspersky Password Manager. We don’t store users’ passwords, so this data is impossible to steal from Kaspersky servers – it’s simply not there.

You can go even further and install Kaspersky Total Security — Multi-Device. It has built-in password manager as well as all the security features you need to protect your devices and your data from any existing malware.