'Vast majority' of users safe after hack, LastPass CEO says

Attackers stole usernames and clues to master passwords, the company says, but are unable to breach the vast store of encrypted passwords the service manages.

Laura Hautala
Laura Hautala
Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
2 min read

Getty Images/Ikon Images

Apparently, a gateway to an untold number passwords is a tempting target for hackers.

Password manager LastPass on Monday announced that hackers had breached its system. While the electronic intruders got their hands on user email addresses and other information, they weren't able to get into accounts where users store all their passwords, according to the company.

"We are confident that our encryption measures are sufficient to protect the vast majority of users," Joe Siegrist, the company's chief executive, said in an explanation of the hack.

Users may be uncomfortable knowing hackers succeeded in attacking a company that prides itself on security -- or they may chalk it up to modern life on the Internet. With major cyber security company Kaspersky Lab announcing it was hacked last week, LastPass is not alone in its troubles.

What's more, LastPass has found traces of security breaches in the past. In 2011, the company urged users to change potentially weak master passwords, as well as their banking passwords.

LastPass said it discovered and blocked the suspicious activity on its network on Friday. The company is still investigating when the breach occurred, said Vice President of Marketing Erin Styles.

LastPass doesn't actually store a tremendous cache of usernames and passwords on its own servers -- where hackers might romp through and wreak havoc. Instead, it uses encryption that disguises passwords and only allows them to be read on individual users' Web browsers.

Nonetheless, the master passwords of LastPass users could be vulnerable. Along with user email addresses, the hackers stole their clues for their master passwords. A really obvious clue might spell disaster for some users with easy-to-guess master passwords. Hackers could potentially access their accounts and find all of their usernames and passwords.

"If you have a weak master password or if you have reused your master password on any other website, please update it immediately," Siegrist said. "Then replace the passwords on those other websites."

Update, 5:30 p.m PT: Adds comment from LastPass.