LastPass has not been hacked!
SOPA IMAGES/LIGHTROCKET VIA GETTY IMAGES
The hugely popular LastPass password manager has not been hacked. This is official and confirmed by LastPass itself, which has issued a warning to users after a hacking campaign using emails stating the precise opposite and urging users to download a malicious update in order to steal master passwords. The brand is issuing guidance as some customers receive phishing emails falsely indicating that their accounts have been compromised.
LastPass Confirms It Has Not Been Hacked
“To be clear, LastPass has NOT been hacked,” Mike Kosak, a senior principal intelligence analyst with LastPass, has confirmed, having taken the unusual step of making such an announcement in an official Oct. 13 blog posting. The confirmation came on the same day that LastPass became aware of a new phishing campaign designed to hack LastPass user accounts, distributed in an email with the title: “We Have Been Hacked - Update Your LastPass Desktop App to Maintain Vault Security.”
The giveaway that these emails are not genuine, in an ideal world, would be the fact that they come from spurious addresses rather than official LastPass ones. Kosak identified these as being “hello@lastpasspulse(.)blog” and "hello@lastpassgazette(.)blog" and, in turn, directing recipients to an equally bogus site “lastpassdesktop(.)com” from where a malicious update could be downloaded. Sadly, it is not an ideal world, and many consumers will still be overwhelmed by the knee-jerk reaction to respond if they think their password manager account has been compromised.
Do Not Change Your LastPass Master Password
Do not reset your master password, or any password, upon receipt of such an email — follow the FBI advice on this matter.
“Please remember that no one at LastPass will ever ask for your master password,” Kosak warned, adding that the password manager organization has taken steps to protect users from this hacking campaign, including getting the domains taken down and warning pages informing visitors they are malicious in the meantime.
“Please take the appropriate precautions,” Kosak concluded, “and, as always, if you are ever unsure whether a LastPass-branded email is legitimate, please submit it to abuse@lastpass.com” where it can be checked.
