Recent Posts

Thursday, May 5, 2011

LastPass Gets Hacked For 1.25 Million Passwords




In what would seem like the cyber equivalent of turning someone upside down and shaking all the money out of their pockets, some unscrupulous hackers took LastPass for an estimated 1.25 million passwords.

LastPass is a service which allows users to store login information for different websites under one, ‘secure’ password which is kept safe by LastPass and makes it easier for people to create crazy passwords without having to worry about remembering them.

That was, up until yesterday, when apparently someone got behind their firewalls and stole the aforementioned 1.25 million passwords. That’s quite a few passwords, especially considering that since those are taken, whoever has them can login to the users accounts and everything they have linked to it. That means that a lot of people have good reason to check their bank accounts and other sensitive online data.

If your concerned about how much might have been taken, then you should go ahead and change all your passwords ASAP and the email and other info related to your LastPass account.

I would also suggest that you don’t use single login services like LastPass, it’s kind of a bad idea to put all that information under one account, your best bet for safety is creating choke points for everything. Say for instance you want to start a Facebook account, you should have one specific email account for that Facebook account, that way if someone hacks your Facebook and gets your email through it they won’t have a real addy, it’s a choke point it ends with (preferably) totally false data. By creating multiple accounts for things like that you can focus on making your personal email secure and change those passwords daily. Remember to make those other accounts as real as possible, use pictures you find on the internet, make the name as real as possible. Basically what your doing is creating multiple false identities so that you can waste as much of someone who is trying to get your info’s time as possible. If they think it’s real they’ll keep going until thy realize it’s not, and if they do hack or steal anything at least it wont be real, and for the love of god don’t let any of those accounts link to any real personal info. Don’t give an alternate email (unless it too is fake).

I think it works best if I give you an example of what goes through the mind of someone trying to get your personal information via Facebook. For the sake of me not getting carpal tunnel today let’s skip to them already having your Facebook login info, first person mode GO!.

OK so I’m logged in as you, maybe watching you chat with a friend (oh you didn’t know I could do that…maybe I’ll tell you how later Winking smile  but for now, maybe you shouldn’t use FB chat), but that’s boring and I’m not getting much info, I’ll keep monitoring it to see if anything good comes up. I go through your info and find out where you work, went to school, your friends etc.… I can do something with that but I’m not in the mood for that much work, I just want your name, (you were smart enough to make a fake one for Facebook right?) maybe that will pop up in chat, but I don’t feel like sitting here all day waiting for someone to type your name. I’m going to go check out your email since Facebook is looking like it’s going to take some time to get what I need from (I could trick one of your friends or use the information to start building a profile but hopefully if I cared that much you’d know why and be keeping yourself off Facebook altogether). Of course I already have your fake email but what I need is your real one, I’m hoping to find a hole in the only access I currently have. Thanks to the fake email, and fake Facebook info I don’t know your real name, address, phone number or anything. Just your Facebook account login info, which I will lose once it alerts you by email that someone logged in from a computer that wasn’t yours, you change that password, or delete the account altogether and start another and I’m back to square one.

So you see how this works?, it’s the old ‘don’t put all your eggs in one basket’ spiel. If you work for a company and have a responsibility to protect sensitive data then it’s the least you could do to keep yourself a little more safe, stop being so lazy about logging into multiple sites.

Related Stuffs:

Source: Bloomberg Buisnessweek


  1. You should really refer to the LastPass Blog for the FACTS concerning the security breach. You seem to have gotten most aspects of the story wrong.

  2. Thanks for the heads up, when I'm wrong I'm wrong after a lttle research I foundo ut I'm VERY wrong in this case. I will post something much more factual in a bit

  3.  Heres the fix