LastPass Security Fear: What Happened?

Several testimonies, taken up by certain specialized media, evoked on December 28, 2021 attempts to intrude into dozens of accounts of the LastPass password manager. This would not be the case: the company explains that it was not compromised, certain alert messages would have been sent in error.

A security alert by email

News of a breach or compromise of sensitive data is always bad news. But when it hits your password manager, panic is in order. A password manager like LastPass or Dashlane is an added guarantee of security, the assurance that a data breach or theft of credentials will not expose all of your accounts at the same time. These applications make it possible to generate complex passwords, specific to each site or application, and to store them securely.

These passwords are protected in an account, which acts as a safe, by a unique password known as ” master “. But here, testimonies posted on a specialized forum then on Twitter evoked attempts to connect to their LastPass account using, according to an email, their master password. ” If so, I’m in a world of pain », Lamented the author of a post on the Hacker News forum.

According to LastPass, no compromised accounts

In an initial statement sent by email to specialist media The Record, LastPass said on December 28, 2021 that investigations were underway into what the company believed to be an attempt to ” credential stuffing “. This is a type of cyber attack that uses stolen credentials to automatically try to log into a user’s other accounts. But LastPass denies any data leakage.

In a second, more detailed statement, shared on December 29, 2021 at The Verge, LastPass said it had no indication as of yet that any accounts were actually compromised by this attack. Also according to the company, some of the security alerts that alarmed users were ” probably triggered by mistake Because of a problem that has since been resolved.

Some good practices to keep your mind at ease

Even if the danger seems over here, a good practice in this kind of case is to systematically change your password when a security alert affects a service you are using. This digital hygiene measure can be painful, but it is at least advisable to do it for the most sensitive accounts: banking services, password managers, email addresses.

Regarding your master password, the one that allows access to your password manager, it is essential to follow a few recommendations so that your identifiers are effectively protected.

It must first respect rules of complexity (high number of signs, special characters, capital letters, not the first name of a member of your family or your dog, etc.). This, so that it is not possible to attack it by brute force, that is to say by automatically trying all the possibilities, or by using dictionaries specializing in common passwords.

Finally, this password must be unique, and especially not be used for another account, otherwise it would lose its usefulness in the event of a data leak. A good way to remember this master password is to use a phrase, a series of words with a few special characters, rather than just a series of random signs.

It is also more than advisable to enable two-factor authentication, or 2FA, which is available for LastPass. This system sends each new connection a code by SMS or email which validates who is trying to access your account, and therefore to block a potential hacker who would have access to your credentials.