LastPass has patched a bug that would have allowed a malicious website to extract a previous password entered by the service’s browser extension. It was reported that that the bug was discovered by Tavis Ormandy, a researcher in Google’s Project Zero team, and was disclosed in a bug report dated August 29th.
Despite this vulnerability, where there is no current evidence that bad actors have stolen user data, password managers are still the best way to manage passwords so that consumers always have a different, strong password, for each account. As cybercriminals have become accustom to consumers using stolen credentials on different accounts, it is mandatory that consumers have a different password for every account, limiting their exposure to the ongoing wave of data breaches. Passwords managers help consumers keep track of their strong, unique passwords in a user friendly way.
Even if there was no theft recorded from this vulnerability, it is advisable for consumers to update their high value passwords and make sure they have installed LastPass’ latest security updates. For those accounts that allow it, end users should activate two-factor authentication for further security.
Luckily, companies are moving away from using only a username and password for authentication, opting to add more layers that include behavioural analytics and passive biometrics, so that vulnerabilities like this one thwart future fraud. If a user has the correct password but is behaving suspiciously, these technologies can be stopped it before any fraud happens.