For a company that’s supposed to keep your digital secrets safe, LastPass sure is having a hard time of it recently. The password management service has revealed that it’s been hacked… again.
It’s the second time that the popular LastPass service (which protects users passwords, sensitive information, card details and more behind a single super-strong ‘master’ password) has been hacked in just six months. And to make matters worse, even LastPass itself doesn’t seem certain on what exactly was hit.
While a blog post from the company states that “customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture,” it also concedes that “certain elements” of “customers’ information” were accessed by the hacker.
A history of hacks
“In keeping with our commitment to transparency, I wanted to inform you of a security incident that our team is currently investigating,” wrote LastPass chief executive Karim Toubba.
“We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo. We immediately launched an investigation, engaged Mandiant, a leading security firm, and alerted law enforcement.
“We are working diligently to understand the scope of the incident and identify what specific information has been accessed.”
One thing does seem certain — this hack is directly related to one that occurred back in August of this year, and may even have been perpetrated by the same person. According to Toubba:
“We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information.”
Time for Apple Passkey adoption?
While LastPass’s app and password vault remains one of the most intuitive and useful in the business, remembering all those cryptic passwords so that you don’t have to, its whole reputation rests upon its ability to keep those secrets secure. If it can’t do that (and LastPass has suffered from numerous vulnerabilities over the years) its whole reason for existing crumbles.
Such failings, however, may represent a big opportunity for Apple. This year it’s been pushing its Passkeys feature, which looks to do away with alphanumeric passwords altogether in favor of cryptographic keys, end-to-end encrypted, locked behind a user’s TouchID and FaceID data.
Passkey adoption has begun to roll out with the introduction of iOS 16, but it’ll be some time yet before all websites and services integrate it into their security layers.
If Passkey can prove more secure than services like LastPass, and just as convenient, it may reshape the password and personal digital security landscape altogether.
