LastPass: Choosing Your Next Steps
Uncited block quotes are from LastPass security updates.
Two LastPass breaches were announced in August and December 2022.
LastPass is no longer recommended.
The LastPass Security Breaches
TL;DR: The breach was helped by a lax security policy, an employee was accessing critical company data from their home computer.
So the breach affects LastPass users who had an active LastPass account between August 20 and September 16, 2022.
— Almost Secure
The customer data included customers' names, billing addresses, phone numbers, email addresses, IP addresses and partial credit card numbers, and the number of rounds of encryption used, MFA seeds and device identifiers. The vault data included, for each breached user, unencrypted website URLs and site names, and encrypted usernames, passwords and form data for those sites. According the reports, the stolen info did not include a plain text copy of the user's master password.
This raises the question about what to do next, but first a harder look at the issue.
First Incident Reported August 25th
LastPass let their users know on August 25, 2022 that a security breach had occurred August 8–12, but stated that only proprietary information was taken:
A software engineer's corporate laptop was compromised, allowing the unauthorized threat actor to gain access to a cloud-based development environment and steal source code, technical information, and certain LastPass internal system secrets.
We declared this incident closed but later learned that information stolen in the first incident was used to identify targets and initiate the second incident.
While no customer data was accessed during the August 2022 incident, some source code and technical information were stolen from our development environment and used to target another employee, obtaining credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service.
The hacker was able to gain access by exploiting a vulnerable piece of consumer software on the DevOp's computer.
Neither incident was caused by any LastPass product defect or unauthorized access to — or abuse of — production systems.
Rather, the threat actor exploited a vulnerability in third-party software, bypassed existing controls, and eventually accessed non-production development and backup storage environments.
Such software should NEVER have been on any computer accessing either LastPass development areas or customer data.
Second Incident Reported December 22nd
A second breach was reported on December 22, reporting no malicious access after October 26th:
The threat actor targeted a senior DevOps engineer by exploiting vulnerable third-party software. The threat actor leveraged the vulnerability to deliver malware, bypass existing controls, and ultimately gain unauthorized access to cloud backups. The data accessed from those backups included system configuration data, API secrets, third-party integration secrets, and encrypted and unencrypted LastPass customer data.
The loss of customer data wasn't reported for nearly two months.
Right before the holiday season, LastPass published an update on their breach. As people have speculated, this timing was likely not coincidental but rather intentional to keep the news coverage low. Security professionals weren't amused, this holiday season became a very busy time for them. LastPass likely could have prevented this if they were more concerned about keeping their users secure than about saving their face.
— Almost Secure
“Your Vault is Safe”
The statement noted that a customer's password vault was secure if you'd used a good password:
The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.
If you use the default settings [twelve-character minimum master password and 100,100 iterations of the PBKDF2], it would take millions of years to guess your master password using generally-available password-cracking technology.
Your sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass' Zero Knowledge architecture. There are no recommended actions that you need to take at this time. [emphasis mine]
This left most customers feeling their data was safe.
LastPass Encrypts Your Password Vault
The good news is that LastPass encrypts your password vault before it uploads it to the cloud &mdmash; one of the reasons I recommended it.
- What data was accessed?
- About password iterations.
- How do I change my password iterations for LastPass?
However, There are Serious Concerns
However, there are some very serious concerns:
- A lot of personal data was released unencrypted including your email address, telephone number, mobile device unique identifier, billing address, and more.
- Many LastPass users were using passwords with fewer than the currently recommended 12 character minimum and far fewer than 600,000 PBKDF2 iterations currently recommended (many with 5,000, some as few as 1).
- The number of iterations was stored unencrypted.
- The websites contained in your vault were not encrypted. Anyone with your vault could use this data to see which users had the most valuable data.
Not Enough Iterations
Unfortunately, the vaults with fewer iterations would be much easier to crack.
When more details started to come out in January and February indicating that LastPass had failed to inform or enforce users that were using 5,000 or fewer iterations in their LastPass settings (the default for new users prior to July 9, 2018) that they should upgrade to at least 600,000.
LastPass makes use of the Password Based Key Derivation Function (PBKDF2) which makes it harder for someone to guess your account password through a brute-force attack. Each round of PBKDF2 hashing converts your original input — the master password — into a unique encryption key using hashing. This type of hashing can't be reversed. The more PBKDF2 iterations you apply, the more secure the encryption key will be and the harder it will be to guess.
As a result, many, many LastPass users were still using too minimal iterations — far too few for today's multi-GPU hacking practices. Those users' vaults will be relatively easy to hack.
LastPass may have added a further 100,100 iterations after the vault is uploaded to their servers.
Not Everything was Encrypted
Even if your vault's password and iterations were decent, LastPass didn't encrypt everything.
A few days ago LastPass admitted that unknown attackers copied their “vault data.” It certainly doesn't help that LastPass failed to clarify which parts of the vaults are encrypted and which are not. LastPass support adds to the confusion by stating that password notes aren't encrypted which I'm quite certain is wrong.
Passwords, account and user names, as well as password notes are encrypted. Everything else: not so much. Page addresses are merely hex-encoded and various metadata fields are just plain text.
— Almost Secure
What Data was Accessed?
The stolen data includes the following unencrypted data:
In other words, cybercriminals now know that you use LastPass, they know how to contact you, and they know which websites you use.
- company names
- end user names
- billing addresses
- telephone numbers
- email addresses
- IP addresses which customers used to access LastPass
- website URLs from your password vault
— Graham Cluley
One of the unencrypted pieces of data released was the number of PBKDF2 iterations that an end user was configured to use. This means they will know which vaults will be easiest to decrypt.
See Steve Gibson's explanation of the significance of iterations on this Security Now podcast:
Those in possession of your vault can scan this unencrypted information to see if you've included banking, credit cards and similar financial information, making those cherry-picked vaults a prime target for brute-force decryption. They also can be more effective in spear-phishing attacks.
If you're among those with both weaker security and high-value site passwords or credit card information included in your vault, you must act quickly.
If you would like more detailed discussion about the LastPass 2022 breach and its implications, listen to these podcasts with Steve Gibson and Leo Laporte:
Choosing Your Next Steps
Whichever choice you make, you'll need to assume that all your passwords were compromised or may be in the future.
You should NEVER reuse any password but especially not your password manager's master password.
LastPass or Not?
Keeping these considerations in mind:
- Any password manager is better than none, but there are advantages to a password manager that is proven secure and reliable.
- You'll have to assume all the passwords in your vault were compromised and you need to change them.
- I strongly recommend closing any unused accounts then deleting those passwords from your vault.
The hackers that stole all the LastPass customer vault data has no time limits on their attempts to brute force hack any of these vaults. The vaults of significant companies and individuals will probably be first followed by those vaults with banking or other financial passwords yet poor passwords protecting them.
Even if your entire LastPass vault was not immediately compromised, it could be cracked within five or ten years.
What if LastPass Fails?
Something else you need to consider is what would happen if LastPass were to fail because of these incidents and the publicity surrounding them.
If that were to happen, access to your online vault would probably cease to exist.
Much Negative Press
There has been a lot of negative press:
Previously, LastPass had been a four-star Editors' Choice product. In late 2022, the company announced that a data breach exposed users' encrypted vault data and other unencrypted personal data. Additional details about the breach and the aftermath came to light in February 2023.
Because LastPass initially failed to inform its users of the breach and to adequately protect them, we removed the score and Editors' Choice designation from this review. PCMag is currently reviewing its recommendations of password managers and retesting them.
At this time, we recommend open-source Editors' Choice winner Bitwarden for anyone looking to switch to a new password manager.
Security Experts Advise Moving to Bitwarden
As well, many security experts, including those I follow and respect, are moving away from LastPass to Bitwarden.
Steve Gibson (whose recommendation of LastPass helped form mine) has some concerns with the fact that LastPass has not warned users with weaker passwords.
Too Little, Too Late
LastPass is making the effort to fix the things that went wrong. There is every reason to believe that they were targeted for this attack.
However, they were very slow to let users know that their vaults had been stolen. The company had developed some very bad security practices such as too much unencrypted information in secured vaults and allowing third-party software on their DevOps computers.
Some of this was because LastPass was a legacy product developed when security needs were less intense, but they failed to keep up with the technology and didn't inform their customers about the risks of not upgrading their vault master password and iterations.
- If you're still on LastPass, why!? Nick Espinosa explains why staying with LastPass is unwise.