Nov 21, 2014

Game Site Accounts Hacked: Action Required

A hacking group has obtained login credentials for PlayStation Network, 2K Game Studios, and Windows Live. The hackers, known as DerpTrolling, have released a subset of the data to confirm their claim, which LastPass has reviewed and determined the leaked credentials are valid. This group has also claimed responsibility for a DDoS (distributed denial-of-service) attack on Blizzard Entertainment in which they overloaded their servers and shut down the service to users over the weekend.

According to the hacker group, the motivation for the attack was to demonstrate to the gamer community the vulnerability of their information and to compel these large companies to further protect the information of their customers. The breadth of the leaked information could be vast. A member of the group claimed "We have 800,000 from 2K and 500,000 credit card data. In all of our raids we have a total of around 7 million usernames and passwords...We have around 2 million Comcast accounts, 620,000 Twitter accounts, 1.2 million credentials belonging to the CIA domain, 200,000 Windows Live accounts, 3 million Facebook, 1.7 million EA origins accounts, etc."

Action Required

LastPass has deactivated the exposed accounts who reused their LastPass master password with these services. Remember... if you’re reusing passwords, especially your LastPass master password, you’re inviting trouble. We recommend immediately changing the passwords for these affected sites and if you reuse passwords on more than one site, you should take action to change those duplicate passwords as well. Use the password generator in LastPass to create a strong, unique password for every account.

As always, we will stay vigilant and do what we can to protect our users and their information.

Be Secure,

The LastPass Team

Nov 18, 2014

LastPass’ App Fill on Android Gets an Update

At LastPass, we’ve always believed in making it as easy as possible to practice good password security on all your devices. We’re furthering that mission with our latest update on Android, which brings near-universal support for logging in to apps and web sites.

Until now, the structure of some apps, like banking and financial apps, required extra steps to get logged in. Today we're releasing the App Fill Helper, which can fill your credentials in almost any app or web site. It's there when you need it, but can just as easily be disabled or enabled for any or all apps.

The App Fill Helper appears on the edge of your screen, in browsers and selected apps. The helper can be dragged to either side of your screen, so it stays out of the way while being easily accessible to assist with your login.

When you tap the helper, LastPass displays matching logins for the web site or app. In the cases where the web site or app doesn’t allow LastPass to autofill, as we sometimes see with financial apps, the app fill helper will offer convenient copy-paste options instead.

Overall, this update allows us to help you log into more web sites and apps than ever before. Now you’re typing less and getting an improved mobile experience, because LastPass can better handle the huge variety of apps and mobile web sites.

Available in the Google Play Store, the updated LastPass app supports filling logins in Android mobile apps and a number of mobile browsers, including Chrome, Opera, Yandex, Boat Browser, InBrowser, Amazon's Silk Browser, and Javelin.

The LastPass for Android app is part of our Premium service for $12 per year, with a free two-week trial for you to test out the features before upgrading. Or, upgrade today for unlimited mobile sync and even more password management features.

Nov 17, 2014

8 Tips to Protect Your Credit Card This Holiday Season

Gearing up for some online shopping this holiday season? With Black Friday and Cyber Monday only a couple weeks away, now’s a good time to ensure you’re set up for efficient, secure shopping as you check things off your holiday to-do list.

Here are 8 tips to keep you safe - and productive - as you shop online:

1. Don't store cards in browsers or online accounts.

Shopping online involves a lot of tedious forms, which means a lot of repetitive typing as you fill out your name, your address, your phone number, your email, and so on, with every single purchase you make. LastPass Form Fill saves time by filling all that for you. Storing and encrypting your credit cards with LastPass means you don’t need to put your credit cards at risk by storing that information in your web browser or your online accounts.

2. Shop at familiar companies, or research well.

If it’s your first time shopping with a vendor, conduct some research to ensure it’s a legitimate seller. Look for merchant reviews online or ask for feedback amongst your trusted peers. Look for social proof of an unfamiliar vendor by searching for them on Facebook or Twitter to see how legitimate they are. Familiarize yourself with the vendor’s refund policy and contact information, and look at the privacy policy to understand how your information may be used.

3. Look for a locked HTTPS connection.

Before entering your personal or financial information on a website, ensure the website is using a secure connection with SSL. LastPass Form Fill warns you before entering information on a non-HTTPS site. You can also look in the browser’s URL bar to see that there’s a padlock showing, and that the web address begins with HTTPS, confirming that you have a secured connection on that website. Using a secured connection ensures your data is transferred safely when you make a purchase.

4. Give as little personal information as you can.

Many websites won’t let you checkout without confirming some personal details. Choose the option to checkout as a “guest” when you can, or ensure you only fill out the required fields and nothing more. Understand what information they’re asking for and how that data may be used according to their privacy policy. If a website makes it optional to store your credit card, don’t keep it on file. The less information the website stores about you, the less there is at risk of being leaked in case of a data breach.

5. Create a strong, random password when you register.

Every single online account you sign up for should have a different password. When using a password manager like LastPass, it’s easy to create a new one with the LastPass Password Generator as you’re registering for a new online account. You can also login to existing online accounts and update old passwords at any time. And since LastPass does the remembering for you, you don’t have to worry about forgetting any of those new passwords - even if you don’t shop at those sites again for a year or more.

6. Keep an eye on credit card statements.

As soon as your credit card statements are available, review them for any unauthorized charges. If you print receipts from online purchases or save the records sent via email, it’s easier to compare your bank statements against your online purchases. If there’s any discrepancy, it’s best to contact your bank and report the issue immediately.

7. Only connect with secure WiFi.

As you’re submitting your personal and financial information online, it’s important to use an Internet connection that you know is secured. Even if you’re connecting to the website via HTTPS, on an open network it’s much easier to be tricked or phished into revealing passwords, credit cards, and other personal information you submit to a website. You don’t know how well the hotel or cafe secured their open WiFi, so it’s better to leave any transactions and sensitive account logins for later.

8. If it’s too good to be true, it probably is.

It’s thrilling to chase those great deals, especially on Cyber Monday, but be wary of anything that sounds so good that it’s unbelievable from vendors you don't know. Cyber criminals try to lure shoppers with unbelievable prices, fantastic rebates, or free promotions - including mobile apps that claim to give you perks, like free texts or calls, in exchange for logging in or posting something. Unsolicited emails, texts, calls, or social media messages could be an attempt to get you to hand over an account login or credit card information. When in doubt, play it safe.