Back to Blog

Was LastPass really hacked? And are people really still reusing passwords?

/ News
Some LastPass users were alarmed by security warnings at the end of last year. Whatever caused them, it’s a good idea to start 2022 with security in mind.
Padlocks - security.

Even over Christmas some things never seem to take a break - things like news about the latest major password leak or hacking incident. If you missed what happened with password manager LastPass over the holidays, here’s a quick recap of the (slightly confusing) news and a few reminders about steps you can take to have greater control over your security, including enabling 2FA on your SiteHost account.

Genuine warnings, but no confirmed attack

Last month some users of LastPass, one of the most widely used password managers, received email notifications about login attempts from unrecognised devices and locations. CPO Magazine reported that the notifications contained the alarming warning that, “Someone just used your master password [...but…] LastPass blocked this attempt”.

While the company said that there was no evidence of accounts being successfully compromised, what exactly happened is still a bit of a mystery.

LogMeIn, the company that owns LastPass, initially claimed that the incident could have been triggered by credential stuffing attacks. These occur when login credentials are stolen from one site and tried on another. This was refuted by users who claim they don’t reuse passwords, while others had just changed their master passwords.

Investigations within LastPass ruled out any harvesting by malware or rogue browser extensions. Some independent security experts weren’t so sure, but no smoking gun has been found.

It’s worth noting that the emails were genuine, which rules out the possibility of phishing campaigns. Adding to the confusion, LastPass later said that some of the warnings were sent in error.

Lessons to take from the LastPass security incident

A number of possible cybersecurity threats or breaches could have been involved. Whatever actually happened, this is a good reminder to be cautious when it comes to passwords and security.

By implementing a combination of solutions you can create a robust defence for your passwords and accounts:

  • Turn 2FA on wherever you can. 2FA, or two-factor authentication, adds a second step to the login process. It’s an effective extra layer of security. After providing your username and password (which is something only you know), 2FA asks for a code from your mobile phone (i.e. something only you have) in order to log in.

  • Change your passwords regularly. There is a range of advice out there, but it boils down to this: for passwords, three months is a ripe old age.

  • Use unique passwords. Never recycle passwords across different sites, especially where banking and personal sensitive information is at risk. Recycling could make it easier for cybercriminals to unlock multiple online accounts.

  • Avoid common passwords. While this tip sounds common knowledge, researchers at Nordpass are unfortunately still reporting that “123456” tops the list of common passwords.

  • Use a reliable password manager. Password managers securely create and store passwords, and let you enter them with a click of a button. Strong encryption protocols mean they work without compromising security. While the LastPass incident might make you doubtful of password managers, they remain a prudent option. But you still need to couple them with other smart password practises, like 2FA.

How to activate 2FA on SiteHost

SiteHost offers 2FA and we strongly recommend that you enable it for all your accounts. You can activate it with these few steps:

  • Install your preferred 2FA app.

  • Log in to the SiteHost control panel.

  • Open Account from the main menu on the left.

  • Select Two Factor Auth from the navigation tab.

  • Click the Add 2FA Method button in the top right.

  • Open your 2FA app and follow the steps provided by the app.

  • Enter the 2FA code generated by your app.

  • Click Activate 2FA.