LastPass: Choosing Your Next Steps

Breach Details | Choosing Your Next Steps
Staying with LastPass | Leaving LastPass

Uncited block quotes are from LastPass security updates.

Two LastPass breaches were announced in August and December 2022.
LastPass is no longer recommended.

The LastPass Security Breaches

TL;DR: The breach was helped by a lax security policy, an employee was accessing critical company data from their home computer.

So the breach affects LastPass users who had an active LastPass account between August 20 and September 16, 2022.
— Almost Secure

The customer data included customers' names, billing addresses, phone numbers, email addresses, IP addresses and partial credit card numbers, and the number of rounds of encryption used, MFA seeds and device identifiers. The vault data included, for each breached user, unencrypted website URLs and site names, and encrypted usernames, passwords and form data for those sites. According the reports, the stolen info did not include a plain text copy of the user's master password.
— Wikipedia

This raises the question about what to do next, but first a harder look at the issue.

First Incident Reported August 25th

LastPass let their users know on August 25, 2022 that a security breach had occurred August 8–12, but stated that only proprietary information was taken:

A software engineer's corporate laptop was compromised, allowing the unauthorized threat actor to gain access to a cloud-based development environment and steal source code, technical information, and certain LastPass internal system secrets.

We declared this incident closed but later learned that information stolen in the first incident was used to identify targets and initiate the second incident.

While no customer data was accessed during the August 2022 incident, some source code and technical information were stolen from our development environment and used to target another employee, obtaining credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service.

The hacker was able to gain access by exploiting a vulnerable piece of consumer software on the DevOp's computer.

Neither incident was caused by any LastPass product defect or unauthorized access to — or abuse of — production systems.

Rather, the threat actor exploited a vulnerability in third-party software, bypassed existing controls, and eventually accessed non-production development and backup storage environments.

Such software should NEVER have been on any computer accessing either LastPass development areas or customer data.

Second Incident Reported December 22nd

A second breach was reported on December 22, reporting no malicious access after October 26th:

The threat actor targeted a senior DevOps engineer by exploiting vulnerable third-party software. The threat actor leveraged the vulnerability to deliver malware, bypass existing controls, and ultimately gain unauthorized access to cloud backups. The data accessed from those backups included system configuration data, API secrets, third-party integration secrets, and encrypted and unencrypted LastPass customer data.

The loss of customer data wasn't reported for nearly two months.

Right before the holiday season, LastPass published an update on their breach. As people have speculated, this timing was likely not coincidental but rather intentional to keep the news coverage low. Security professionals weren't amused, this holiday season became a very busy time for them. LastPass likely could have prevented this if they were more concerned about keeping their users secure than about saving their face.
— Almost Secure

“Your Vault is Safe”

The statement noted that a customer's password vault was secure if you'd used a good password:

The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.

If you use the default settings [twelve-character minimum master password and 100,100 iterations of the PBKDF2], it would take millions of years to guess your master password using generally-available password-cracking technology.

Your sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass' Zero Knowledge architecture. There are no recommended actions that you need to take at this time. [emphasis mine]

This left most customers feeling their data was safe.

LastPass Encrypts Your Password Vault

The good news is that LastPass encrypts your password vault before it uploads it to the cloud &mdmash; one of the reasons I recommended it.

However, There are Serious Concerns

However, there are some very serious concerns:

A lot of personal data was released unencrypted including your email address, telephone number, mobile device unique identifier, billing address, and more.
Many LastPass users were using passwords with fewer than the currently recommended 12 character minimum and far fewer than 600,000 PBKDF2 iterations currently recommended (many with 5,000, some as few as 1).
The number of iterations was stored unencrypted.
The websites contained in your vault were not encrypted. Anyone with your vault could use this data to see which users had the most valuable data.

Not Enough Iterations

Unfortunately, the vaults with fewer iterations would be much easier to crack.

When more details started to come out in January and February indicating that LastPass had failed to inform or enforce users that were using 5,000 or fewer iterations in their LastPass settings (the default for new users prior to July 9, 2018) that they should upgrade to at least 600,000.

LastPass makes use of the Password Based Key Derivation Function (PBKDF2) which makes it harder for someone to guess your account password through a brute-force attack. Each round of PBKDF2 hashing converts your original input — the master password — into a unique encryption key using hashing. This type of hashing can't be reversed. The more PBKDF2 iterations you apply, the more secure the encryption key will be and the harder it will be to guess.

As a result, many, many LastPass users were still using too minimal iterations — far too few for today's multi-GPU hacking practices. Those users' vaults will be relatively easy to hack.

LastPass may have added a further 100,100 iterations after the vault is uploaded to their servers.

Not Everything was Encrypted

Even if your vault's password and iterations were decent, LastPass didn't encrypt everything.

A few days ago LastPass admitted that unknown attackers copied their “vault data.” It certainly doesn't help that LastPass failed to clarify which parts of the vaults are encrypted and which are not. LastPass support adds to the confusion by stating that password notes aren't encrypted which I'm quite certain is wrong.

Passwords, account and user names, as well as password notes are encrypted. Everything else: not so much. Page addresses are merely hex-encoded and various metadata fields are just plain text.
— Almost Secure

What Data was Accessed?

The stolen data includes the following unencrypted data:

company names

end user names

billing addresses

telephone numbers

email addresses

IP addresses which customers used to access LastPass

website URLs from your password vault

In other words, cybercriminals now know that you use LastPass, they know how to contact you, and they know which websites you use.
— Graham Cluley

One of the unencrypted pieces of data released was the number of PBKDF2 iterations that an end user was configured to use. This means they will know which vaults will be easiest to decrypt.

See Steve Gibson's explanation of the significance of iterations on this Security Now podcast:

Those in possession of your vault can scan this unencrypted information to see if you've included banking, credit cards and similar financial information, making those cherry-picked vaults a prime target for brute-force decryption. They also can be more effective in spear-phishing attacks.

If you're among those with both weaker security and high-value site passwords or credit card information included in your vault, you must act quickly.

Learning More

If you would like more detailed discussion about the LastPass 2022 breach and its implications, listen to these podcasts with Steve Gibson and Leo Laporte:

Return to top

Choosing Your Next Steps

Whichever choice you make, you'll need to assume that all your passwords were compromised or may be in the future.

Recommendations

You should NEVER reuse any password but especially not your password manager's master password.

Choose a password that is both long and strong enough to withstand current brute force attacks (a minimum of 15 random characters, but ideally more).

LastPass or Not?

The first decision is whether to stay with LastPass or to move to something else.

Keeping these considerations in mind:

Any password manager is better than none, but there are advantages to a password manager that is proven secure and reliable.
You'll have to assume all the passwords in your vault were compromised and you need to change them.
I strongly recommend closing any unused accounts then deleting those passwords from your vault.

The hackers that stole all the LastPass customer vault data has no time limits on their attempts to brute force hack any of these vaults. The vaults of significant companies and individuals will probably be first followed by those vaults with banking or other financial passwords yet poor passwords protecting them.

Even if your entire LastPass vault was not immediately compromised, it could be cracked within five or ten years.

What if LastPass Fails?

Something else you need to consider is what would happen if LastPass were to fail because of these incidents and the publicity surrounding them.

If that were to happen, access to your online vault would probably cease to exist.

Much Negative Press

There has been a lot of negative press:

Previously, LastPass had been a four-star Editors' Choice product. In late 2022, the company announced that a data breach exposed users' encrypted vault data and other unencrypted personal data. Additional details about the breach and the aftermath came to light in February 2023.

Because LastPass initially failed to inform its users of the breach and to adequately protect them, we removed the score and Editors' Choice designation from this review. PCMag is currently reviewing its recommendations of password managers and retesting them.

At this time, we recommend open-source Editors' Choice winner Bitwarden for anyone looking to switch to a new password manager.
— PCMag

Security Experts Advise Moving to Bitwarden

As well, many security experts, including those I follow and respect, are moving away from LastPass to Bitwarden.

Steve Gibson (whose recommendation of LastPass helped form mine) has some concerns with the fact that LastPass has not warned users with weaker passwords.

His Twitter posts and Security Now! #905 (PDF) discuss his concerns. The latter includes a PowerShell script that can help you determine how strong your LastPass vault is.

Too Little, Too Late

LastPass is making the effort to fix the things that went wrong. There is every reason to believe that they were targeted for this attack.

What have we done to secure LastPass.

However, they were very slow to let users know that their vaults had been stolen. The company had developed some very bad security practices such as too much unencrypted information in secured vaults and allowing third-party software on their DevOps computers.

Some of this was because LastPass was a legacy product developed when security needs were less intense, but they failed to keep up with the technology and didn't inform their customers about the risks of not upgrading their vault master password and iterations.

If you're still on LastPass, why!? Nick Espinosa explains why staying with LastPass is unwise.

Staying with LastPass

If you're going to stick with LastPass, you'll need to realize that you'll need to set the number of iterations for your account to at least 100,100 (320,000 recommended) then change your master password to at least 12 characters (15–20 recommended) then change every password in your vault.

Potential for Failure

There is going to be significant blowback from LastPass's failure to warn people with weak passwords and inadequate PBKDF2 iterations as well as the fact that LastPass didn't secure either their servers or their DevOps computers sufficiently to prevent the second breach where user data was stolen. There is a possibility that the company may fail.

Change Your Passwords

If you're with LastPass, you'll need to secure it then change ALL your passwords:

Log onto your LastPass account.
Follow the instructions to change the number of iterations to a more secure level (at least 100,100) then change your master password to be at least 15 characters.
Close any unused accounts by logging onto each legacy site then follow the procedures to close your account. then delete those passwords from your vault.
Now delete the legacy account from your LastPass vault.
Now change all the passwords remaining in your vault.

Start with the most vulnerable sites (banks, credit cards, etc.) then move to the less valuable sites. This assumes that you did not share passwords across multiple sites.

LastPass has provided guidance for both consumer and business users:

Return to top

Leaving LastPass

Realize that ANY cloud-based password manager (or service) is potentially vulnerable.

The alternative is a secure password manager like Password Safe which resides only on ONE computer.

Steve Gibson's initial support of LastPass was one of the main reasons I felt I could recommend LastPass (that was before is was purchased by GoTo (formerly LogMeIn) then being established as an independent private equity company in December 2021).

He has now moved to Bitwarden (as have most of the security folks I follow).

Bitwarden Recommended

Bitwarden is open source which allows other developers and programmers to check the validity of the encryption process and point out vulnerabilities.

Don't Change Passwords in LastPass

If you're moving from LastPass, do not change your passwords in LastPass.

Set up your new password manager.
Log onto your LastPass account.
Close any unused accounts by logging onto each legacy site then follow the procedures to close your account.
Now delete the legacy account from your LastPass vault.
Once all legacy accounts have been deleted, export your LastPass data.

Warning: this data will be in CSV format and is NOT encrypted. Hold onto it only long enough to import it into your new password manager, then delete it securely.

Security Now 904: Leaving LastPass How LastPass failed, Steve's next password manager, how to protect yourself.
Moving Your Passwords from LastPass.
How do I delete my LastPass account?

Return to top

Related Resources

On this site:

Return to top
RussHarvey.bc.ca/resources/lastpass.html
Updated: September 11, 2023