X

Use LastPass? Update now to protect your passwords (explainer)

The password manager patches a major security flaw that could have let hackers steal your passwords and manipulate your LastPass account.

Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
3 min read
Getty Images

Password managers: they're the best way to keep your accounts safe from hackers. They're also one of the most tempting targets on the internet for hackers.

That irony was on clear display for all of last week, when password manager LastPass said it was fixing a major flaw. Found by Google security researcher Tavis Ormandy, the flaw was so serious that LastPass urged users not to use its browser extension until they fixed the problem.

How bad could it be? The bug could have let hackers breach your account, taking your passwords and changing things in your account. The vulnerability was in the LastPass browser extension, a service that can auto-fill usernames and passwords into log-in pages.

Late Friday, the company said the problem was fixed. Now, users should make sure they're using the most up-to-date version of the security software.

How can I make sure my LastPass account is safe?

LastPass users should make sure they have the updated version of the browser extension installed on every browser they use. That would be version number 4.1.44 or higher.

To check the version number, log into LastPass through the browser extension and select More Options > About LastPass. This will show you the software version you're running. LastPass said Friday that most users should be automatically updated to the patched version of the extension.

If that's not the case for you, download the updated extension from LastPass.com.

Am I doomed if I used LastPass last week?

You might be thinking, "I had no idea I wasn't supposed to be using the LastPass browser extension last week." Fair enough.

The patch took all of last week because the flaw stemmed from something fundamental in the way the browser extension worked, said Joe Siegrist, vice president and general manager at LastPass parent company LogMeIn, in his updated blog post late Friday.

"This was not a simple patch, and required a thoughtful, thorough fix," Siegrist said. "Those changes then needed to be applied and tested across all affected extensions."

The good news is that hackers couldn't have used the security flaw to break into many accounts at once -- they would have had to go to a lot of extra effort, Siegrist said.

A hacker would have to individually target you, sending an email meant to trick you into clicking on a link and downloading malicious software. That software would have let a hacker exploit the flaw in the LastPass browser extension and sneak into your account.

That said, if you're feeling extra paranoid, it's always good to regularly change your passwords. Go ahead and do so if you want to, and also consider adding two-factor authentication to your LastPass and other accounts. LastPass supports a number of different two-factor authentication methods, all of which require you to enter additional information (like a one-time code) to log into your account from a new location.

Is a password manager really a good idea if it can be hacked?

Yes, it's still a very good idea.

Much more common than a security flaw in a password manager is a giant data breach. That's when hackers sweep up thousands, millions or even a billion usernames and passwords from major web services. The most high profile of these were two separate breaches of Yahoo 's user information, both of which came to light in 2016.

These breaches are bad enough. A hacker can do a lot of damage with the keys to your email account, potentially using it to reset passwords to your bank account, for example. Making them worse is our tendency to reuse passwords between websites. If you were using the same password for Yahoo as you were for something else important (that bank account comes to mind again), you'd be in trouble.

But the human mind has its limits, and it's nearly impossible to remember unique, complex passwords for the dozens of online accounts many people have these days. Password managers make it possible by remembering for you.

Just be sure to keep the software that powers your password manager up to date.

Batteries Not Included: The CNET team reminds us why tech is cool.

CNET Magazine: Check out a sample of the stories in CNET's newsstand edition.