Password-storing company falls victim to hack

Reuters/Kacper Pempel
Hackers have attacked a company that stores people’s passwords online. LastPass warned its clients that they should change their passwords.

The company announced in a blog post that they had discovered and blocked “suspicious activity,” although it insisted that “encrypted user vault data was not taken, nor that LastPass user accounts were accessed.”

Although the company also said its customers should change their master passwords, while assuring them that LastPass is working with “the authorities and security forensic experts.” The company claims “additional strengthening makes it difficult to attack the stolen hashes with any significant speed.”

Cybersecurity experts have promoted LastPass as a solution to the problem of multiple passwords, which are often hard for people to keep track of; it also offered a solution they say of keeping just one password for all your online devises and accounts, which is considered bad practice.

READ MORE: 'Just for lulz': Hackers leak 13,000 passwords from Amazon, PlayStation, Xbox

But despite the company’s assurances, even if a user has a LassPass-protected password, if it’s simple enough and in common use – like your date of birth or something like Password123 – then hackers can work it out in minutes.

This means that hackers could then potentially gain access to bank details and hospital records.

A survey released earlier this year by SplashData, which was conducted from more than 3.3 million passwords that had been leaked in 2014, found that people often use simple passwords such as “123456.” Other numerical combinations were found to make up nine of the top 25 most popular passwords.

However, the study found that people are moving away from using the most common passwords. According to SplashData four years ago the top 25 passwords accounted for six percent of leaky passwords, and in their figures released in 2015, this had fallen to just 2.2 percent.

READ MORE: ‘123456’ still most popular password but users waking up to cyber dangers – study

And in any case, a determined hacker with enough computing power would eventually be able to work out virtually any password.

"Attackers seem to have all they need to start brute-forcing master passwords," Tod Beardsley, a research manager at cybersecurity firm Rapid7, told CNN Money.

In December last year, the hacktivist group Anonymous released a file containing 13,000 passwords and usernames as well as credit card numbers that they had hacked from sites like Amazon and Walmart.

The Daily Dot published a full list of the nearly 40 websites where users were compromised including PlayStation Network and Xbox Live, as well as handful of port sites.

Anonymous is a loose organization of hackers and online activists that goes after governments and corporations, but is not known for targeting individuals at random.