If you are here, chances are you have already heard of the LastPass Security Incident. Some immediate reactions to the news are likely to be:
- How did this happen?
- Didn’t LastPass have a breach in August as well?
- I thought a password manager was supposed to be more secure?
- What is the point of a password manager then?
- What do I need to do to ensure that my accounts remain secure?
- Should I ditch LastPass?
Let’s start with the basics.
In chronological order, here are how some of the events unfolded.
On August 25th, LastPass sent the following message to its customers:
“We are writing to inform you that we recently detected some unusual activity within portions of the LastPass development environment. We have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information. We have no evidence that this incident involved any access to customer data or encrypted password vaults.”
At that point, they reinforced the message and clearly stated that there was no indication that any customer or vault data was compromised.
On December 22nd, LastPass published an update and communicated to customers that:
“... an unauthorized party gained access to a third-party cloud-based storage service, which LastPass uses to store archived backups of our production data.”
They go on into some technical details about what was accessed and how it came about. According to LastPass, some of the data that was compromised in August (lastpass code / technical information) was then leveraged to execute the incident in December.
The main takeaway here is that it remains unknown when the actual breach occurred. While LastPass communicated on December 22nd, they have not stated the exact timeframe when the data was stolen; which brings us to our next topic…
What was stolen?
LastPass dives into some very technical details about what was stolen. The stolen data falls into two main categories:
- Encrypted Data: This data was stolen will be unintelligible to a third party unless they are able to decrypt it (more on that below). On the surface level, the threat actor will not be able to do anything with this data as is
- Unencrypted Data: Some client metadata was stolen in an unencrypted format, meaning that they stole the data in a usable readable format (i.e. plain english text).
The stolen encrypted data includes sensitive data such as:
- Secure notes
- Form Filled data (PII)
Allegedly, this data remains protected by 256-bit AES encryption. At this level of encryption, it would take a modern computer billions of years to brute force the encryption key. However, it may not take billions of years to brute force your master password.
Some of the unencrypted data that was compromised includes some PII about the customer (or business):
- company names
- end-user names
- billing addresses
- email addresses
- telephone numbers
- the IP addresses from which customers were accessing the LastPass service
Additionally, the website URLs that relate to the Encrypted Data (above) were unencrypted.
Should I be concerned?
Unfortunately, this is the most difficult to answer. There are two main factors that we would consider when advising whether you should be worried or not:
- What was stored?
- How strong was your master password?
What was stored
If you are a casual LastPass user and store logins for your various social media accounts, online SaaS accounts etc., then your risk is limited to how greatly you value those services and your presence on them.
If, however, you stored crucial account data (banking information, combination to the safe in your house, electronic lock codes etc.) then a higher degree of concern is definitely warranted.
To further complicate things, on top of assessing what could be compromised, you should also think about how strong your password was. While it will take billions of years to crack the encryption, it may not take billions of years to guess your password.
LastPass may argue that you are in no worse position now than before since there is no difference in the ability to brute force your password regardless of the breach. This may be true, however, the breach means that the threat actor is no longer restricted by additional security measures (like MFA) when trying to guess your password and use it to unlock the encryption.
As LastPass mentioned in their blog post, if you followed the password best practice guidelines, then there is a smaller need for concern as your password itself will be harder to brute force. Similarly, if you also have MFA on each of your accounts that are stored in lastpass, it will be more difficult for the threat actor to gain access to your properties with the information from LastPass’ vault. Here are some additional resources:
What actions should I take?
Now that we have discussed what happened and how badly you could be affected, what should you do about it?
- Review what was stored in your LastPass vault
- Determine if you should update your master password
- Update the passwords of any accounts that were stores in LastPass
Long Term Actions
- Always use MFA where possible
- Get into the practice of creating high entropy passwords
- Re-evaluate your relationship with LastPass (there are others out there!)
Should I ditch LastPass (or Password Managers) for good?
We all have that lovely friend or system administrator at work who constantly touts the benefits of the password managers. While, on the surface, this may seem to be all the evidence we need to give them the proverbial “I told you so” and to do away with password managers for good; the benefits still outweigh the risks.
The answer to this will be yours and yours alone. There are experts who recommend switching away from LastPass, there are some who will say that this could have happened to anyone. Ultimately as the consumer, it is your opinion that matters. Things to consider:
- Did they do a good job notifying you of the issue?
- Was the communication clear, informative and trustworthy?
- Have they done enough to assure you that your data will be safe in the future?
Hopefully we were able to provide some clarity on the topic!