How to protect yourself against the new threat of hacking LastPass

Yesterday, the real way to steal data was detected from the popular LastPass password manager. We recommend that you read this article, so as not to fall for the bait.

We use a variety of online services and Web applications, each of which is necessary for safety reasons to have different user names and passwords. Keep them all in your head is impossible, so much widespread password managers. They provide secure storage and convenient use of usernames and passwords not only to online services, but also to the payment systems, bank accounts and so on. Therefore, leakage or hacking of the password manager can be a big problem for many users.

One of the most popular applications of this kind is LastPass. It really is an excellent solution that has passed the test of time and numerous attacks by hackers. Yesterday, however, an expert on computer security Shaun Cassidy (Sean Cassidy) has been found possible to phishing attacks on LastPass. He wittily called it LostPass (lost passwords).

In short, the vulnerabilities found as follows. First, an attacker lures you to a website that showcases

Since fake notification, click on Try Again button will take you on a specially created page that looks just like a standard form for entering the login and password LastPass. She even address will be almost the same, which usually have official browser pages opened by your installed extensions. Except for a small detail, which I've highlighted in the screenshot. I am sure that most users do not pay attention to such trifles no attention.

Next, you enter on this page, your username and password to log into LastPass, and they immediately fall into the hands of hackers. As a result, the latter receive full access to all of your sites and account data. The attack works even if you have enabled two-factor authentication, only the sequence of actions the hacker will be one more step. More details on the work can be read LostPass here (in English).

Of course, you have a question, how to guard against this danger. While LastPass developers do not take measures to prevent such a phishing attack, users can temporarily disable the browser-based extension of this service. Yes, it is uncomfortable and make you need to manually copy your passwords with LastPass web page. A more radical option would be to find an equivalent alternatives to store passwords and sensitive data.

Do you still use LastPass or have already switched to any other password manager?