On Monday the popular password manager app LastPass admitted to being hacked. After the initial announcement, the company assured its customers that their master password data was not exposed, and it’s likely that most user passwords are still safe.
But it turns out this hack may have happened years ago, and that LastPass has been a known target for hackers.
A security researcher told Business Insider that the announcement did not come as a shock. According to the digital security company SecurityScorecard‘s chief research officer Alex Heid, his team has seen inferences of leaked LastPass data since 2013.
According to Heid, SecurityScorecard found a submission on the anonymous posting site Pastebin in 2013 detailing “a list of SQL injection vulnerable websites” An SQL injection is a hacking technique to attack digital applications that store data.
Heid described this list as “websites that were vulnerable and could have a database taken.” LastPass was indeed included in this list, meaning that hackers and/or researchers had found a vulnerability in its code two years ago.
Given this discovery, Heid and his team think it’s highly likely that LastPass was exploited some time ago, and that the hackers have ever since been “sitting on the data.”
The real take home, however, isn’t necessarily that LastPass has been targeted for years now, said Heid. Instead it’s that offering a supposedly secure service that stores private keys on public clouds is a “counter intuitive idea.”
“It doesn’t make much sense because of course it’s going to get hacked,” he said.
He (along with many other experts) recommend that people use password manager solution that allow people to store their private key information locally.