It’s a day ending in Y, which means yet more news of security breaches. On Thursday, Lastpass notified users that its developer environment was infiltrated—but also was quick to reassure customers that password vaults and customer data are safe.
In the announcement sent via email and posted to its blog, the company describes the root issue as a compromised developer account, through which part of LastPass’s source code and proprietary technical info were taken. At this time, LastPass says it has taken steps to isolate and mitigate the issue, as well as hired an outside cybersecurity and forensic team, with the investigation still ongoing. Users are not currently being advised to change their master password.
This is not the first time LastPass has reported a hack of its service. In 2015, the company experienced unauthorized access of user account email addresses, password reminders, and authentication hashes. Other vulnerabilities have been revealed as well—Tavis Ormandy, a Google Project Zero researcher, noted in 2016 he’d found problems with LastPass’s service, and in 2017 news broke of a browser extension vulnerability that allowed websites to steal passwords. In 2019, Ormandy also discovered another browser extension vulnerability that made it possible for the last used password to be leaked.
If you’re a current LastPass user, you might be nervous about this news, even despite calm responses from prominent figures in the security field. LastPass does earn accolades for its day-to-day experience, including our top recommendation for a paid password manager, but security breaches and even communication mishaps (like last December’s accidental sending of security alert emails to customers unaffected by a credential stuffing attack) can undermine confidence in the service.
If you don’t fully trust LastPass’s reassurances and are concerned about the integrity of your password vault, you can take several routes to protect your passwords. The easiest proactive step is to change your LastPass master password. You should also make sure two-factor authentication is turned on. If you want to lock things down further, use a hardware device (e.g. Yubikey) rather than software-based token generators like Authy or Google Authenticator. You will want a backup key in case your primary one is lost, stolen, or damaged.
Of course, the nuclear option is to switch entirely to a different service, such as Bitwarden, Dashlane, or 1Password. (Bitwarden has a generous free plan if you want to test drive it first.) You can even go with a local-database-only password manger like KeePass to avoid the greater vulnerability of cloud-based services. (You can read more about KeePass in our round up of the best free password managers.)
Regardless, don’t abandon the idea of password managers all together. They’re a key part of online security, and even if they make you uncomfortable, you can find ways of making them work for you.
Alaina Yee is PCWorld's resident bargain hunter—when she's not covering PC building, computer components, mini-PCs, and more, she's scouring for the best tech deals. Previously her work has appeared in PC Gamer, IGN, Maximum PC, and Official Xbox Magazine. You can find her on Twitter at @morphingball.