LastPass Says Hackers May Have Stolen Passwords for 1.25 Million Customers

LastPass, a company that offers to safeguard and simplify managing subscribers’ online passwords, said hackers may have broken into its database and stolen information on as many as 1.25 million accounts.

The company’s service allows customers to use one password with enhanced security features to access multiple password- protected accounts for online banking, Internet shopping, and other secure sites. The Vienna, Virginia-based company posted a message on its website late yesterday alerting customers to the breach in its security.

Jeremy Conway, a researcher for the Portsmouth, New Hampshire, based cyber-security company NitroSecurity Inc., said the intrusion risks giving the hackers access to millions of different bank accounts, e-commerce sites and sensitive corporate networks.

“This could be the nastiest password hack in history,” Conway said. “They’ve disclosed just enough so that customers can make all sorts of wild assumptions about how big the problem may be.”

The scope of the losses will depend on how successful the intruders have been at penetrating the company’s network.

The attack on LastPass follows a series of break-ins that have left companies informing customers sensitive data may have been lost. Early last month, millions of customer e-mail addresses were stolen from the computers of Alliance Data System Corp.’s Epsilon Data Management LLC, a Dallas-based provider of marketing services.

Cyber Intruder

Two weeks later, Sony Corp. reported that a cyber intruder stole personal information belonging to 77 million customers of its PlayStation Network. Ceridian Corp. and Lookout Services Inc., in settlements announced yesterday, resolved federal claims that they failed to properly secure the data of 65,000 employees stolen from their computer networks in 2009.

Joe Siegrist, chief executive officer of Marvasol Inc., which does business as LastPass, said in an e-mail message today that he’s urging customers “not to panic” and noted several measures the company is taking to limit the risk. The company is asking customers to re-set their master passwords, Siegrist said.

Companies like LastPass have grown in popularity in the face of growing internet-based fraud from software that steals passwords stored on individual computers.

“I’ve told people to go use LastPass,” Conway said. “The company will have to take several specific measures following this incident before I’ll feel like I can do that again.”

To contact the reporter on this story: Michael Riley in Washington at michaelriley@bloomberg.net.

To contact the editor responsible for this story: Michael Hytha at mhytha@bloomberg.net

Press spacebar to pause and continue. Press esc to stop.

Bloomberg reserves the right to remove comments but is under no obligation to do so, or to explain individual moderation decisions.

Please enable JavaScript to view the comments powered by Disqus.