Cybersecurity experts are expressing concern over the latest data breach suffered by password manager LastPass, as the cloud security company remains mum in the face of a class-action lawsuit linked to multiple hacks on the firm last year.
LastPass first alerted customers in August 2022 that “an unauthorized party gained access to portions” of its network through a developer’s compromised account, and determined at the time that no customer data or encrypted password vaults were accessed by the hacker.
The company then admitted a second breach in late November, saying someone used information accessed in the August hack to “gain access to certain elements of our customers’ information.” LastPass insisted users’ passwords remained safely encrypted at that time.
But In the company’s latest blog update on Dec. 22 regarding the security incidents, LastPass CEO Karim Toubba acknowledged that a “threat actor” had copied a backup of customer vault data that included “fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-milled data.” That has experts sounding the alarm.
Yiddy Lemmer, who owns IT support and cybersecurity firm CompuConnect based out of New York, told FOX Business he still recommends people use password managers to keep their data safe — but he no longer recommends LastPass. In fact, he quit using LastPass himself a few weeks ago after discovering the extent of the breach.
“When I learned the depths of how bad it was, I switched right away,” Lemmer said. “I’m not going to wait around for the next hack until it gets worse.” Lemmer now uses LastPass rival Bitwarden to manage his passwords.
Nashville, Tennessee-based cybersecurity firm Galactic Advisors sent out a warning to customers over the LastPass hack on Jan. 3, saying it had “received information indicating that some of the unencrypted data” exposed in the attack “could be used for more than phishing.”
The same week, LastPass was hit with a class-action lawsuit from a former customer who claims the hack resulted in someone accessing the private keys he had stored on LastPass to steal roughly $53,000 worth of bitcoin.
LastPass CEO Toubba has not provided an update on the security incidents on the company’s blog since Dec. 22, and the company has not yet responded to multiple requests for comment from FOX Business.
Russ Reeder, CEO of cybersecurity firm Netrix Global, says it is critical for companies to provide clear communications to both inform clients and protect those affected by data breaches early on.
He added, “It’s scary when a password keeper company we have all been trained to rely on gets breached.”
LogMeIn announced in Dec. 2021 that it was spinning off LastPass as a standalone company. At the time, LastPass had 30 million users and served more than 85,000 businesses.