LastPass has not been hacked, obviously – but what happened? Yesterday, September 16th, I awoke and scrolled through several stories on my phone. “Google Warns LastPass Users Were Exposed To ‘Last Password’ Credential Leak.” was one of the first articles I saw. This scared the hell out of me! I read more and discovered that this “credential leak” was more of a credential challenge than anything else.
What is LastPass?
We feature LastPass service in the Security page on our website.
LastPass has not been hacked
LastPass offers a lucrative bounty for any security experts who can demonstrate an exploit in its’ service. One of Google’s Project Zero analysts discovered the exploit early that day and tweeted about it. The cybersecurity reporter at Forbes then drafted an excellent article about the exploit even including details regarding how the bridge in security could occur. Additionally, LastPass responded with an announcement about the fix.
The team at LastPass quickly pulled together and implemented a solution. But did anyone ever take advantage of the exploit while it was present? No, from the statement we can see that this would be a monumental task to achieve.
To exploit this bug, a series of actions would need to be taken by a LastPass user including filling a password with the LastPass icon, then visiting a compromised or malicious site and finally being tricked into clicking on the page several times. This exploit may result in the last site credentials filled by LastPass to be exposed. We quickly worked to develop a fix and verified the solution was comprehensive with Tavis.Ferenc Kun
Whew! That sounds difficult, at least. Give