Although the attack is no longer breaking news, we wanted to alert LastPass users and clarify what you should know:
- The attack is focusing on common account usernames - admin, test, administrator, Admin, root - and is systematically testing common passwords to break in to accounts with those usernames. The top five passwords attempted in the hack are "admin," "123456," "111111," "666666," and "12345678."
- The goal is not a data dump of user accounts - this is a large-scale attack that aims to take over a user's machine, using the server as a stepping stone in order to add it to the botnet's arsenal. A network of compromised machines can wreak havoc in a distributed denial-of-service (DDoS) attack.
- If you are a WordPress user using CloudFlare, you are protected from the latest attack, according to their blog post.
- If you're still using a default username on your WordPress account, change it immediately.
- To be on the cautious side, change your WordPress passwords immediately, especially if you are using a common password, as WordPress founder Matt Mullenweg noted on his blog.
- Use LastPass to generate a strong, unique password for your account(s). The LastPass security check, in the Tools menu of the LastPass Icon, will also help you identify weak or duplicate passwords on other accounts.
- If you're using a WordPress.com account, activate two-factor authentication.