scorecardresearch Skip to main content

Despite LastPass hack, cybersecurity experts say to stick with password managers

Password-manager firm LastPass was hacked, but security experts are downplaying the impact.SEM VAN DER WAL/ANP/AFP via Getty Images

Boston cybersecurity company LastPass, which makes a popular password manager app, said it was hacked but that no customer information was stolen.

LastPass, which is being spun off from software company GoTo, said the attackers stole some of the source code to its system and other technical information.

More than 33 million people and over 100,000 businesses use LastPass apps to store their login information. In theory, password manager apps help people improve security by maintaining hard-to-guess passwords without reusing the same password for multiple sites.

The hacking attack did not reach any of customers’ stored passwords or other information, LastPass said, though its investigation is ongoing. “After initiating an immediate investigation, we have seen no evidence that this incident involved any access to customer data or encrypted password vaults,” the company wrote in a blog post.


The incident follows dozens of high-profile hacking attacks at other companies that have resulted in the theft of personal information about consumers and worse. Last year, Chinese hackers penetrated Microsoft’s Exchange e-mail servers, gaining access to millions of messages. And a ransomware attack in December on Ultimate Kronos Group knocked offline payroll and scheduling software used by thousands of businesses, government agencies, and nonprofits.

LastPass is not recommending that its customers change their passwords or take any other actions. The company said it stores all customer data in encrypted form that it cannot decode, providing an additional level of safety.

Security experts said using a password manager app still makes sense.

“They are a far better option than reusing old passwords,” Northeastern University professor and cybersecurity expert Ryan Ellis said. “Like anything, they aren’t perfect. But at a time when each of us has more accounts — and more passwords — than they can count, password managers are an important tool.”


Bruce Schneier, chief of security architecture at Boston-based Inrupt and the author of numerous books on cybersecurity, was even more blunt. “A friend of mine got sick from a bad clam the other week, and in light of that I am wondering if eating is still safe,” he joked. “But I do get the worry.”

Still, consumers can go beyond just using a password manager if they are concerned about the hack, Kevin Powers, director of the cybersecurity policy and governance master’s programs at Boston College, said. He recommended using a multifactor authentication app in combination with a password manager.

“You’re never 100 percent secure, but you can reduce your risk by following some simple best practices,” he said.

Aaron Pressman can be reached at Follow him @ampressman.