While the hackers didn’t get any live data — as in up-to-date info, which is being stored and used in real time by LastPass servers — they did get their hands on backups. Since most people aren’t in the habit of randomly changing their passwords, in most cases these backups probably, maybe contain relevant information.
Here’s a list of the types of info which is confirmed to have been retrieved:
- Company and user names
- Billing addresses
- Emails
- Mobile numbers
- IP addresses
Suffice to say, in some cases, the malicious third party may have their hands on a full package of user data. No good at all. But what about usernames and passwords — the main types of data, which the company handles?
Well, those have been stolen too; however, they remain encrypted. That means that thanks to LastPass’ Zero Knowledge architecture, the culprits won’t be able to figure any of them out, until they know your master password.
What should I do to keep my LastPass account safe?
As claims stand, if you were to utilize them, the hackers would need quote-on-quote “millions of years” in order to brute force — guess, but in IT terms — your passwords with current day technology.
Another thing that you should do is remain vigilant for social engineering or phishing attempts, even if you did change your passwords. These are often emails or DMs that try to convince you to give them your login info, through making you feel pressured to share.
This is your kind reminder that no respectable company out there would ever do that. If they do, you should definitely question their respectable-ness. And a good means of questioning is by double checking.
For example, if — presumably — your bank calls and asks for your online banking information, try to postpone the call in order to call your actual, non-presumed bank, and ask them if they just called you to ask for that info. The answer will likely not be shocking.
This image is here primarily for ironic and comedic purposes, due to its text.
Honestly, they are doing the best possible thing: eliminating everything that has something to do with the stolen know-how and rebuilding a brand new system from scratch, with enhanced protection and alert mechanisms.
LastPass CEO Karim Toubba stated that as of now, there is no need to take further action. They even go as far as saying that if your current master password complies to the aforementioned best practices, you can even go on without changing it.
But, though the nature of life is such that few things remain consistent over time, one thing always does: better safe than sorry. We strongly recommend that you familiarize yourself with how to build a strong password and utilize that knowledge to its full extent.
Discussion about this post