LastPass, one of the most used password management services, sent a security alert to its customers and admitted that it was hacked a few weeks ago. The positive is that it provides they have no evidence that customer data or encrypted password vaults have been breached.

LastPass CEO Karim Toubba explained on the official blog that two weeks ago they noticed signs of unusual activity in their development environment. The company then activated a containment regime, implemented mitigation measures, partnered with a cybersecurity firm, and began conducting a detailed investigation.

Although this investigation is ongoing, Toubba says this no signs of access to user data or encrypted password vaults were found so far, but it has stolen the company’s own data, LastPass source code snippets, and its own technical documentation.

Although the details of the cyberattack and the group responsible are unknown, the company explained that an “unauthorized party” managed to gain access to part of its development environments by compromising a single programmer’s account.

LastPass and the problem of hacking these big managers

Password managers are a great solution for managing access to a large number of Internet services where we are registered. This type of software reduces human error when handling passwords as it automates the generation and access process, prevents the problem of using multiple passwords, and as a result also helps against phishing attacks.

One of its great advantages is that the user you only need to remember one master password and the manager will take care of the rest. The problem is, if that password is captured, you can practically be considered dead. LastPass is one of the largest companies of its kind and claims to have 33 million individual customers and 100,000 businesses.

It should be said that LastPass stores passwords in “encrypted vaults” that can only be cracked with the customer’s master password, which not even the company itself has access to. That’s the theory. The company has been a frequent source of cyber attacks in the past for the above reasons.

On this occasion, they claim that they have no evidence that the accounts were accessed or that the general service was disrupted. In any case, until LastPass fully clarifies the situation, I would change the master password first and foremost enable two-factor authentication ensure that no external element has access to the accounts.

Another option is to use a different type of manager, such as some of these free and open source alternatives. They have the same problem if your master password is stolen for whatever reason, but are generally still much more secure than user management itself.