For a company that’s supposed to keep your digital secrets safe, LastPass sure is having a hard time of it recently. The password management service has revealed that it’s been hacked… again.
It’s the second time that the popular LastPass service (which protects users passwords, sensitive information, card details and more behind a single super-strong ‘master’ password) has been hacked in just six months. And to make matters worse, even LastPass itself doesn’t seem certain on what exactly was hit.
While a blog post from the company states that “customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture,” it also concedes that “certain elements” of “customers’ information” were accessed by the hacker.
A history of hacks
“In keeping with our commitment to transparency, I wanted to inform you of a security incident that our team is currently investigating,” wrote LastPass chief executive Karim Toubba.
“We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo. We immediately launched an investigation, engaged Mandiant, a leading security firm, and alerted law enforcement.
“We are working diligently to understand the scope of the incident and identify what specific information has been accessed.”
One thing does seem certain — this hack is directly related to one that occurred back in August of this year, and may even have been perpetrated by the same person. According to Toubba:
“We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information.”
Time for Apple Passkey adoption?
While LastPass’s app and password vault remains one of the most intuitive and useful in the business, remembering all those cryptic passwords so that you don’t have to, its whole reputation rests upon its ability to keep those secrets secure. If it can’t do that (and LastPass has suffered from numerous vulnerabilities over the years) its whole reason for existing crumbles.
Such failings, however, may represent a big opportunity for Apple. This year it’s been pushing its Passkeys feature, which looks to do away with alphanumeric passwords altogether in favor of cryptographic keys, end-to-end encrypted, locked behind a user’s TouchID and FaceID data.
Passkey adoption has begun to roll out with the introduction of iOS 16, but it’ll be some time yet before all websites and services integrate it into their security layers.
If Passkey can prove more secure than services like LastPass, and just as convenient, it may reshape the password and personal digital security landscape altogether.
Get the best of iMore in in your inbox, every day!
Gerald Lynch is the Editor-in-Chief of iMore, keeping careful watch over the site's editorial output and commercial campaigns, ensuring iMore delivers the in-depth, accurate and timely Apple content its readership deservedly expects. You'll never see him without his iPad Pro, and he loves gaming sessions with his buddies via Apple Arcade on his iPhone 14 Pro, but don't expect him to play with you at home unless your Apple TV is hooked up to a 4K HDR screen and a 7.1 surround system.
Living in London in the UK, Gerald was previously Editor of Gizmodo UK, and Executive Editor of TechRadar, and has covered international trade shows including Apple's WWDC, MWC, CES and IFA. If it has an acronym and an app, he's probably been there, on the front lines reporting on the latest tech innovations. Gerald is also a contributing tech pundit for BBC Radio and has written for various other publications, including T3 magazine, GamesRadar, Space.com, Real Homes, MacFormat, music bible DIY, Tech Digest, TopTenReviews, Mirror.co.uk, Brandish, Kotaku, Shiny Shiny and Lifehacker. Gerald is also the author of 'Get Technology: Upgrade Your Future', published by Aurum Press, and also holds a Guinness world record on Tetris. For real.
Thank you for signing up to iMore. You will receive a verification email shortly.
There was a problem. Please refresh the page and try again.