If you are a LastPass user who has been freaking out over the recent breach, take heed. All of your passwords are likely still safe.
LastPass is one of the most popular apps people use to manage their passwords. You only have to remember one password, and the LastPass app can fill in the proper login information for various sites and services. The breach, which the company announced on Monday, consisted of password reminder hints, user emails and other information being stolen.
While this sound scary, it’s important to understand how LastPass works, said Joe Loomis, CEO of the security company CyberSponse.
Because the hackers were only available to really retrieve reminders and emails, there’s not a lot of damage they can do because they still no access to your master password and thus your account, Loomis said.
“It’s kind of a half-breach, because all they did was get emails and reminders, which is on the front-end,” he said. “They got into the bank, but not into the vault. They got into the lobby and the customer service center, but they didn’t get any of their money.”
LastPass users have one master password that gives them access to their account where passwords for other sites are stored. The master password is secured with a high level of encryption and was not exposed in the breach. Passwords stored in the system were also not compromised.
And because LastPass doesn’t enable a password reset in case you forget your master password, there’s no way for the bad guys to change it to access all of your stored passwords, Loomis said.
“It really didn’t pose any kind of risk to anybody because you can’t reset your LastPass password, that is what makes the system so strong,” Loomis said. “The only way a reminder becomes valuable is if someone put in the name of their pet or something.”
In other words, unless you used an insanely easy-to-guess master password with a hint that gave it away, you are probably in the clear.
Regardless, though, LastPass is still prompting all users to change their password as an extra precaution.
“We decided to prompt users to change passwords to account for individuals that may have very weak master passwords,” a LastPass spokesperson told Business Insider.
To add an extra layer of security going forward, Loomis said that users should also enable multi-factor authentication for the password manager. This is an extra way to verify your identity when accessing accounts. It typically means you will have to enter a code sent to your mobile device in addition to your username and password for account access.
LastPass also cautions users to be wary of phishing emails that might ask for the master password for your account or your email address.