LastPass And Malicious Websites Extract Your Last Used Password

LastPass has patched a bug that would have allowed a malicious website to extract a previous password entered by the service’s browser extension. It was reported that that the bug was discovered by Tavis Ormandy, a researcher in Google’s Project Zero team, and was disclosed in a bug report dated August 29th.

Experts Comments

September 18, 2019
Robert Capps
VP
NuData Security
Despite this vulnerability, where there is no current evidence that bad actors have stolen user data, password managers are still the best way to manage passwords so that consumers always have a different, strong password, for each account. As cybercriminals have become accustom to consumers using stolen credentials on different accounts, it is mandatory that consumers have a different password for every account, limiting their exposure to the ongoing wave of data breaches. Passwords managers.....Read More
Despite this vulnerability, where there is no current evidence that bad actors have stolen user data, password managers are still the best way to manage passwords so that consumers always have a different, strong password, for each account. As cybercriminals have become accustom to consumers using stolen credentials on different accounts, it is mandatory that consumers have a different password for every account, limiting their exposure to the ongoing wave of data breaches. Passwords managers help consumers keep track of their strong, unique passwords in a user friendly way. Even if there was no theft recorded from this vulnerability, it is advisable for consumers to update their high value passwords and make sure they have installed LastPass’ latest security updates. For those accounts that allow it, end users should activate two-factor authentication for further security. Luckily, companies are moving away from using only a username and password for authentication, opting to add more layers that include behavioural analytics and passive biometrics, so that vulnerabilities like this one thwart future fraud. If a user has the correct password but is behaving suspiciously, these technologies can be stopped it before any fraud happens.  Read Less

Submit Your Expert Comments

What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.

Write Your Expert Comments *
Your Registered Email *
Notification Email (If different from your registered email)
* By using this form you agree with the storage and handling of your data by this web site.