If you use LastPass as your password manager, I recommend reading this post in full.
If you know anyone who uses LastPass, forward this to them.
Even if you do know about the LastPass hack, I still recommend you read this, as there will be information here that you may not know about and risks you have not thought of
In case you are not aware LastPass got hacked Back In August 2022 and then AGAIN in November and all customer password vaults have been stolen. This is also not the first time they have been compromised either, it has happened before.
LastPass has been very sketchy about revealing what happened or revealing the seriousness of the hack and waited until December 22nd to put out a statement telling customers their vaults had been stolen, knowing full well that most users would have left for the Christmas holidays and probably wouldn’t read the email or be able to take action.
My advice is to move away from LastPass ASAP and change all your passwords.
How Serious Is This?
As long as you had a very strong master password on your LastPass account, security experts agree that hackers will not be able to crack it and decrypt your vault, which would potentially take thousands of years or more. If however, you had a weak or moderate master password, then you should probably consider it compromised.
However, the strength of your master password is not the only issue.
There have been numerous issues revealed about how LastPass encrypts data and enforces strong passwords, especially for users who signed up several years ago, when the requirements were much weaker, and LastPass has never prompted or enforced these users to change their weak master password. This means many users do still have weak master passwords that are easy to crack.
It was also discovered by security experts, that LastPass only encrypts the PASSWORD and NOTES fields in the vaults, everything else is in plain text and can be viewed by hackers right now, which is a serious problem. This means all the other data in your vault is compromised, so they know who you are, what company you work for, what websites you use, the usernames of those websites, and any other piece of data you stored in your vault.
If any of the websites/accounts you had stored in LastPass also had weak passwords, the chances of those also being hacked have now also increased.
You can also be sure the hackers will be selling your vault to anyone who wants it on the dark web, so it won’t just be the original hackers trying to get into your vault, it will also be every other hacker and cybercriminal they sell the data to.
The even bigger issue here is that LastPass has now been hacked several times, so obviously their security is not up to scratch, plus the way they have handled the situation is highly unprofessional and unethical. In an attempt to save their reputation and stop customers from leaving in droves, they have been intentionally sketchy with the truth and tried to mislead everyone about what happened, when it happened and how serious it was, meaning they simply cannot be trusted anymore.
Armed with the non-encrypted information from users’ vaults, it will be very easy for hackers to launch phishing attacks against users, with spoofed and fake emails, appearing to come from the sites they know you use, in an attempt to get you to reveal the passwords for those sites/accounts. So you need to be extra vigilant in checking that every email you receive is really from who it says it is from.
It is not likely that hackers will be going after the average user, there are millions of them, instead, they will be targeting the vaults of high-profile users, CEO’s, MSP’s etc, but this still doesn’t mean you are safe, see the indirect risk warning below.
Please also be aware note that the 2-factor authentication on your LastPass acocunt will not help here, since 2FA only protects the login process on the LastPass app or website. The hackers do not need to log into anything here, they just have an encrypted file that they need to decrypt. So they are simply trying to decrypt the password vaults, which are encrypted with your master password only, so no 2FA is involved.
If you used a password that is made up of information that could be easily gleaned by checking your social media posts and activity etc, such as family member names, date of birth, etc, then these are also easily hacked.
NEVER create passwords made from personal information about you or your family or hobbies etc. Always create random passwords or phrases made from random words. This is the point of using a password manager and why they do this for you.
It is also important to consider how this can indirectly affect you.
Even if your vault does not get compromised, someone else or another company who you do business with (such as me for example), who also has access to any of your systems, websites, or accounts, could have their vault compromised, especially if they had a weak password (my passwords are strong BTW) which in turn compromises you.
It is also highly likely that some websites/businesses you use and trust will end up being hacked as a result of this, due to that company or someone who works there having their LastPass vault compromised.
So by changing all those passwords, you are also protecting yourself from this indirect compromise as well.
What you need to do
You need to get all your data out of LastPass, move to a new password manager, delete your LastPass vault, cancel your account, change all your important passwords and enable 2FA everywhere possible.
1. Change Your LastPass Master Password
Please note that this will not help with the copy of your vault that has been stolen, it will only change the password on your current vault, but if the criminals do manage to crack your master password, then you don’t want them then being able to login to your LastPass account and accessing your live vault as well before you have had a chance to delete it and close your account.
If you use LastPass as your 2FA authenticator to generate your One Time Passwords (these are the codes you use for 2-factor authentication), these cannot be exported as they are randomly generated every 60 seconds, what you will get in the export will just be junk.
So you will need to reset the 2FA on all those sites where you are using LastPass as the authenticator and set them up in another authenticator. You can either use whatever new Password Manager you move to or if you prefer to use your mobile device, then I recommend using Microsoft authenticator.
You will need to keep your LastPass account active while you do this since you will need to use it to generate your One Time Passwords to log in to those sites and reset 2FA to begin with.
I recommend importing the exported csv file to Excel, password-protect it, and then save as an .xslx file. now delete the original csv file and also empty your recycle bin.
This way you do not have all your passwords stored on your computer insecurely in plain text.
2 – Import your data into a new Password Manager
First, you need to pick a new password manager, the best solution will really depend on your requirements.
If you don’t need to share passwords with anyone else, don’t need any bells and whistles, and are happy to store everything on your mobile device, then you can use Microsoft authenticator, as this also has a built-in password manager.
The downside of this is that if you need to log into anything on your PC/laptop or any other device, you will need to manually type those long, randomly generated passwords.
I personally have moved to Bitwarden, which has a free plan for personal use and very reasonable pricing on all the other plans. However it’s not the most pretty or intuitive app, so may not be the right choice for the less computer illiterate among you, who may prefer one of the other apps above or something else.
All make it nice and easy to import your LastPass data and provide instructions in their knowledge base on how to do this.
And finally don’t forget to delete that exported file once you have finished with it, and also delete it from the recycle bin too.
TIP: It you press SHIFT while deleting a file, it doesn’t go to the recycle bin.
3. Reset all your 2-factor authentications
As mentioned above, you will need to reset the 2FA on all those sites where you are using LastPass as the authenticator and set them up in another authenticator.
If you don’t do this first, you will no longer be able to get into those sites once you delete LastPass as you won’t be able to generate a OTP, and will need to go through more hoops to reset 2FA and get access to those sites. So decide which option is preferable.
Anywhere that offers 2FA, make sure it’s enabled.
3. Delete your Lastpass account
Once you are sure that you have everything you need from Lastpass, and don’t need to access the OTP’s (One Time passwords) for 2-factor authentication for any of your sites, you can go ahead and close your LastPass account, which will delete your vault.
You could work on the basis that your vault will not be decrypted and that you are safe, especially if you had a very strong master password.
Or you may want to go and change all your passwords just in case, don’t forget the indirect compromise I mentioned earlier.
Anywhere where you have 2FA enabled is technically safe, as the password by itself will not let the hackers into that account, and you should get notification of any attempted access.
But you should certainly consider changing passwords on any important site or account where 2FA is not in place.
Such as: your email account (very important, very few email providers have 2FA), hosting account, online banking, social media accounts, website admin, amazon account, and other online stores and anywhere that has your banking or card details stored and could be used to make purchases.
Remember, any website/account that gets hacked, even seemingly insignificant websites, may contain information about you that will then help the criminals/hackers gain access to other accounts of yours, such as your answers to security questions, which are likely going to be the same on every website you use. Armed with this information, they can then pretend to be you, claiming they have lost their login details, and use the security questions/answers to reset passwords and gain access.
If any 3rd parties also have their own separate logins to anything of yours, such as your email, website, banking, amazon etc, send this information to them, and if they use LastPass, they should also change their passwords too.
5. Be vigilant
As mentioned above, armed with the non-encrypted information from users’ vaults, hackers, cybercriminals, and scammers all around the world will be launching phishing attacks against users, with spoofed and fake emails, appearing to come from the sites they know you use, in an attempt to get you to reveal the passwords for those sites/accounts.
These emails will likely come in the form of warnings about your account being compromised or about this very LastPass hack, telling you to reset your password, and sending you to a fake website.
Since there will also be legitimate emails from those same websites telling you the same thing, you need to check who the email really came from (check the from address) and verify that links in any emails go to the real website (look at the domain name).
The best suggestion is simply to avoid clicking links in such emails, and instead, just go to the website manually by typing the URL, then you know you have gone to the real website.
Also be wary of unusual emails/messages from friends, family, colleagues, staff, and even your boss, as the person sending the messages may be a criminal or scammer who has compromised their email, social media account, etc. If in doubt, always pick up the phone and call that person to make sure it’s actually them you are talking to.
Did you know that most electronic devices and the majority of the Internet-connected devices (IOT) can be hacked?
In this article, we will look at some hacking statistics to illustrate the impact of hackers’ activities in modern society. Naturally, hacks are a great concern for website owners – but the truth is that all Web denizens are susceptible to hacking activity.
In the text below you will find some fantastic stats which will help us to find out:
Which is the biggest bank heist that was pulled off by cybercriminals?
Which is the most significant data breach of our time?
Are ATMs vulnerable to hacker attacks?
When did the first hack happen?
Also, we’ll visit the dark web’s markets to see how much it costs to buy a new identity.
Now let’s get started with some hacking stats.
There is a hacker attack every 39 seconds
Russian hackers are the fastest
300,000 new malwares are created every day
Multi-factor authentication and encryption are the biggest hacker obstacles
You can become an American citizen for $6,000
The cost of data breaches will increase to $2.1 trillion globally in 2019
The cybersecurity budget in the US is $14.98 billion
Sounds scary, doesn’t it? Let’s delve in deeper and find more details about each one.
Outrageous Hacking Statistics
Some of the cyber breaches are audacious, others outrageous, yet others simply stunning.
1. There is a hacker attack every 39 seconds.
(Source: Security magazine)
By the time the average person takes a selfie and uploads it to Instagram, the next hacker attack has already taken place.
2. Cybercrime is more profitable than the global illegal drug trade.
(Source: Cybersecurity Ventures)
The profit from the illegal drug industry amounts to around $400 billion annually. For comparison, cybercriminals have earned a total of around $600 billion in 2018.
3. Hackers steal 75 records every second.
(Source: Breach Level Index)
Cybersecurity facts show us the average number of record stolen per second. Breaches are actually a lot rarer than that – it’s just that each breach allows for a lot of records to be stolen.
4. 66% of businesses attacked by hackers weren’t confident they could recover.
Most businesses don’t really know if they’re prepared for a cyber attack. Actually, 75% of all businesses don’t even have a formal cyber attack response plan.
Cyber attacks statistics reveal that in 2018:
5. 73% of black hat hackers said traditional firewall and antivirus security is irrelevant or obsolete.
According to the same survey, 80% of hackers say “humans are the most responsible for security breaches”.
6. The cybersecurity budget in the US is $14.98 billion in 2019.
In just two years, the U.S. cybersecurity budget rose by almost 14%. It used to be just $13.15 billion in 2017.
Like everything, there’s a balance in the cyber-world as well. Hacking facts show that:
7. White hat hackers earned over $19 million in bounties in 2018.
What’s interesting here is that 81% of them learned their craft mostly through blogs and educational materials online. Only 6% completed a formal class.
8. There are over 715,000 cybersecurity experts employed in the US alone.
There were 313,735 job openings for cybersecurity experts until August 2018. This number will continue to grow as we’ll see a bit later. Cybersecurity statistics assure us this will be one of the best paying jobs in the near future.
Are you learning stuff? Good, those stats are awesome. All these numbers look impressive, don’t they? There are more to come, but let’s pause for a second to see the world through hackers’ eyes.
For example – if you see new technology, the first logical question you may pose is – “What does it do?”
Hackers see it differently, though – their question is “What can I make it do?”
These statistics on hacking may not help us understand how a hacker thinks, but we can make some definitive conclusions about their nature.
First off, let me explain the difference between a black hat hacker, a white hat hacker, and grey hat hacker.
Black hat hackers are hackers with criminal intent.
White hat hackers are hired to test the security of a system. They have permission to do it.
Grey hat hackers don’t have criminal motives, but once they start exploiting a system, they can break some laws.
Now that we have the basics, let’s continue with some…
Stunning Hacker Statistics
The statements below are checked facts, not empty statements.
9. Russian hackers can infiltrate a computer network in 18 minutes.
Want to reread the above stat? 18 minutes. I drink my morning coffee longer than that.
Russian hackers aren’t wasting any time when they put their mind to it. North Korean hackers need just under two and a half hours. Chinese ones take longer – about 4 hours.
10. Hackers are the average American’s biggest fear.
1% of Americans are wary of hackers stealing their credit card or financial info. Considering how many cyber attacks happen per day in the US, we can understand why that is. US citizens also worry about the possibility of identity theft – 67%.
The possibility of being assaulted or killed by a co-worker where you work – 7%. I sure don’t want to go to their office.
11. You can purchase a consumer account for $1 on the dark market.
You can buy a bus ticket for a dollar. Or you can buy a ticket to an eCommerce site. The choice is yours.
When looking at data breach statistics, we can see that billions of records have been stolen. This created an abundance of credentials for sale, which reflects on their price. Bank accounts still cost more – between $3 and $24 apiece. Most other online accounts cost $1 or less.
12. More than 6,000 online criminal marketplaces sell ransomware products and services.
A total of 45,000 products are on sale there. If we add all non-ransomware products and services, the number will easily exceed 1 million.
13. 444,259 ransomware attacks took place worldwide in 2018.
Almost 1 in 4 (100,907) occurred within the consumer marketplace.
Hacking statistics for 2019 also show us that:
14. Hackers create 300,000 new pieces of malware daily.
I guess some people’s fingers never sleep. Let’s hope cybersecurity specialists are up to the task.
And speaking of cybersecurity specialists:
15. There will be 3.5 million cybersecurity jobs openings in 2021.
There are almost 314,000 job openings for cybersecurity specialists in the US alone as of October 2018. Cybersecurity Ventures expects that cybercrime will more than triple the number of job openings over the next five years.
Now let’s have a break from the hacking statistics for a while.
See, hackers are like you and me in a way. They are curious about the world and themselves. Some of them describe hacking as an adrenaline rush. All people have “their thing” – some dance, some climb mountains and so on. Hackers exploit vulnerabilities. Come to think of it – it’s like a puzzle. Put all the right pieces together, and voila.
Now let’s imagine a situation. You are in a hotel. There is a TV in your room. What do you see? “A TV”, most of you would say. What does a hacker see? A gateway to the hotel’s network. It’s similar to any other target.
How and Why Were Companies Hacked in 2018
Businesses are deemed lucrative and often easy prey. So business owners must be ever vigilant, thus choosing a good hosting provider, such as Guru or GetFlywheel is an important step in the right direction.
16. 65% of companies have over 1,000 stale user accounts.
Stale accounts and outdated permissions are targets for exploitation and malicious use. Hackers desire data, and they can get it by hijacking an account.
While we’re on the topic:
17. 32% of black hat hackers admit privileged accounts are their number one way to hack systems.
Seizing such an account could be pretty easy with a simple phishing attack.
18. 75% of all attacked business reported fraudulent emails.
(Source: Cyber Security Breaches Survey 2018)
Fraudulent emails as part of a phishing strategy are still a hacker’s favourite tool to obtain credentials.
Computer hacking statistics also show that:
19. 15% of UK businesses lost control over a network to a hacker.
(Source: Cyber Security Breaches Survey 2018)
Unauthorized use of systems, computers or servers from outside entities rose by 5% in 2018.
20. Companies protect only 3% of their folders.
And 88% of companies with over 1 million folders have over 100,000 folders open to everyone. Certainly makes a hacker’s job easier.
Lousy protection is one of the main reasons why…
21. 43% of UK businesses have reported breaches or attacks in the last 12 months.
(Source: Cyber Security Breaches Survey 2018)
Cyber attack statistics show 72% of large companies report such events.
22. Up until March 2019, more than 14 billion data records had been lost or stolen.
(Source: Breach Level Index)
The exact number as of March 27, 2019, is 14,717,618,286. Only 4% of these breaches were “Secure Breaches”, meaning the data was encrypted and therefore rendered useless.
So far we’ve looked at the possibilities for hackers to cause damage. Now let’s check out some examples of their handiwork:
How Giants Fall – Data Breach Statistics
The numbers in some of the biggest data breaches are stupefyingly big.
23. Yahoo’s data breach – 3 billion compromised accounts.
It’s quite a story. In 2016 Yahoo admits the truth about the most significant data breach in history. They publicly state that 500 million users’ accounts were compromised in 2014.
Later the company declared there was another breach in 2013 with another 1 billion compromised accounts. Finally, in 2017, Yahoo said the whole truth – the attacks had compromised a total of 3 billion user accounts.
It is still the most significant data breach in history.
One of the recent big hacks happened in 2017, when…
24. 209,000 payment card numbers and expiration dates were stolen from Equifax.
146.6 million names, dates of birth and 145.5 million US social security numbers were taken as well from the credit monitoring firm.
25. Marriot International – 500 million users’ data stolen.
In 2018 Marriot International discovered attackers, who had remained in the system since 2014. The hackers stole the credit card numbers and expiration dates of more than 100 million customers. The other 400 million lost “only” some part of their private info – names, passport numbers.
And here’s what the hacked companies will have to pay in 2019:
26. The cost of data breaches will increase to $2.1 trillion globally in 2019.
(Source: Juniper Research)
Well, that’s more than Italy’s GDP in 2018. Тhis number has increased almost four times since 2015.
Since we started talking about money, I want to ask you a question – where is the money?
Once upon a time, there were some people with lots of money. They had so much money, they had to build a house for their money. And that’s how banks appeared.
In the next section, we’ll take a look at the banks hacked in 2018. What do criminals do with banks? They rob them. Cybercriminals do the pretty much the same thing, in a more subtle way.
27. Hackers siphoned off $13.4 million from Cosmos Bank in India.
(Source: Hindustan Times)
In 2018 Cybercriminals hacked the bank’s servers on August 11 and 13. The culprits stole the card details of around 12,000 Visa cards.
Long story short – the hackers made it rain 15,000 transactions later.
The next one is really exciting. It makes Jesse James look like a harmless kid on the path of righteousness (his dad was a preacher).
One of the most interesting hacking facts online is that:
28. The Carbanak gang of hackers has stolen over $1 billion in total.
(Source: Kaspersky, Securelist)
We can’t classify this as the biggest bank robbery in history, but it sure is interesting. They targeted around 100 banks around the world, and it took 2-4 months to siphon the money out from each one. The losses per bank were up to $10 million each. The cybercriminals started to test the Carbanak malware in 2013, and it’s still on the loose.
The good news is in 2018 the authorities caught the mastermind in Spain.
These next few cyber hacking statistics visualize how much cybercrime can cost us.
29. Cybercrime cost the world almost $600 billion in 2018.
This number amounts to 0.8% of the global GDP.
To acquire such amounts of money, black hat hackers need specific tools. You can’t find most of them just anywhere. Where do they get them? Let’s find out.
Dark Market Stats
The dark web’s customers may find almost everything there. Thankfully the light side has some tricks prepared to change the cyber attacks statistics in 2019
30. 68% of black hat hackers say multi-factor authentication and encryption are the biggest hacker obstacles.
Use 2FA whenever possible. Just a tip.
The dark web can’t help you much with 2FA, but there’s a lot of stuff you can buy if you have some Bitcoins ready.
31. For as low as $1.25 you can get a Netflix account.
(Source: Wondershare, dr.fone)
Netflix streaming is one of the standard hacking services and widely available. For a small fee, you’ll receive the email and password of someone’s Netflix account. Just imagine how many people’s credentials have been hacked or stolen for the price to get this low.
32. You can purchase the WinPot malware for 1 bitcoin.
Don’t know what WinPot does? Nothing much ? It only makes the ATMs by a popular ATM vendor dispense all the cash from their cassettes.
By the way, did you know that
33. 92% of ATMs are vulnerable to hacker attacks.
There are several ways to hack an ATM, but consider this – if your card data is stolen, then 100% of ATMs would be vulnerable to this kind of attack.
When talking about the dark web and hackers, a question arises – How many hackers are there?
No one knows.
But we can make an educated guess based on the following stat:
34. The Tor network had more than 2.2 million users in 2017.
The dark web hosted almost 60,000 unique onion domains, and around 57% of them hosted illegal content.
And one more interesting fact for the dark market, before we move on:
35. You can become an American citizen for $6,000.
You can also buy a fake passport + driving license + ID card from different countries if you can spare 700-900 euro. (approx. $787-$1010 at the exchange rate at the time of writing)
Let’s move on from the hacking statistics of 2018.
Hacking isn’t all about criminal masterminds and cybersecurity. Sometimes it’s fun, and I have a list for you.
Not all cyber attacks are malicious or vicious. Hackers have a wicked sense of humour.
36. Operation Cupcake
(Source: Washington Post)
In 2011 MI6 took down the instructions for bomb-making from an online al-Qaeda magazine and replaced them with recipes for cake. I guess the Taliban didn’t fall for it since there were no exploding muffins in the last eight years.
37. #Lil’ Trump
This is one of the hacking facts I’ll cherish in my memory. In 2013 Donald Trump’s Twitter account was hacked, and the hacker posted some Lil’ Wayne lyrics.
(Source: Daily Mail)
In 2012, Iran’s nuclear facilities were under cyberattack. The hackers forced workers at two of the nuclear facilities to listen to AC/DC’s Thunderstruck repeatedly at full volume. Even if you’re a fan, it can still annoy you at some point.
39. Friendless Samy
In 2005 Samy Kamkar took down MySpace. For our younger readers, MySpace was a social network like Facebook, only cooler. If someone shuts down Facebook now, it would be one of the biggest hacks of 2019. However, Samy didn’t want to shut down MySpace. All he wanted was…some friends. To achieve his dream he wrote a worm, exploiting a vulnerability in MySpace. Infected profiles became “friends” to Samy’s page. And then their friends as well and so on. It took Samy a day to get a million friends on his page. MySpace couldn’t take it.
40. The first hack
In 1903 Guglielmo Marconi (the father of modern radio) was ready to transmit a message via the first wireless broadcasting technology. It used the same system as the telegraph. When he was prepared to send the message, the apparatus began to tap out a message in Morse code. The word was “RATS”, repeated over and over again. The first of the many hacking cases to come in history happened because the radio’s channel wasn’t as private as Marconi thought. More than a century later we still have the same problem.
Well, that’s all folks. I hope you found this article helpful and interesting. We learned some cool facts together and we saw the world of hackers is not just about money. Curiosity and ethics play a large role as well.