Millions of users have been put at risk following the discovery of a huge security flaw in the cloud based password manager LastPass.
The critical zero day security hole – so called because it had lay unnoticed by LastPass developes – allowed hackers to remotely break into customer accounts.
LastPass is the world’s most popular online password manager which allows users to store their passwords and login details so that they can auto-fill in details whenever they try to login to one of their online accounts.
On its website, LastPass stresses the importance of security stating that it uses AES-256 bit encryption which helps to “ensure complete security in the cloud.”
Are people really using this lastpass thing? I took a quick look and can see a bunch of obvious critical problems. I’ll send a report asap.
— Tavis Ormandy (@taviso) July 26, 2016
However, Google security researcher Tavis Ormandy took to Twitter to say: “Are people really using this lastpass thing? I took a quick look and can see a bunch of obvious critical problems. I’ll send a report asap.” The security expert is known for flagging up potential security risks at major tech companies and has previously highlighted critical flaws in software from Symantec and Kaspersky. Ormandy passed his findings on to LastPass who have since confirmed that they have fixed the vulnerability.
Full report sent to LastPass, they’re working on it now. Yes, it’s a complete remote compromise. Yes, I promise I’ll look at 1Password. — Tavis Ormandy (@taviso) July 27, 2016
“In follow-up to recent news, we want to address in more detail two security reports that have been disclosed to our team. One report was disclosed yesterday, while the other report was responsibly reported and fixed over a year ago. Notably, both exploits do require tricking a user via a phishing attack into going to a malicious website,” LastPass said in a blog post.
Technical details of the vulnerability have now been disclosed but it is thought that no cyber attacks have been reported which could be related to the security hole.
Ormandy has since said that he would next be checking rival password manager 1Password for any security holes.
Following the discovery of the vulnerability, the official advice from LastPass to all users is:
- Beware of phishing attacks. Do not click on links from people you don’t know, or that seem out of character from your trusted contacts and companies.
- Use a different, unique password for every online account.
- Use a strong, secure master password for your LastPass account that you never disclose to anyone, including us.
- Turn on two-factor authentication for LastPass and other services like your bank, email, Twitter, Facebook, etc.
- Keep a clean machine by running antivirus and keeping your software up-to-date.
Do you use LastPass or any other password manager?
Would you trust cloud based password managers to keep your login details safe?