Two months on… should we still be worried about the LastPass breach?
Over the Christmas period, popular password manager LastPass announced that hackers had gained access to customer’s password vaults writes Tyson McGuirk.
This follows on from an attack in August 2022 where access was gained to a developer account. It is believed information obtained from this initial attack was used in the follow-up attack which led to some customers vaults being compromised.
The stolen data is believed to have contained unencrypted information such as email addresses, billing addresses, telephone information and more.
However the more concerning issue is the stolen encrypted customer data that has been obtained by the hackers, most specifically customers’ vaults containing various usernames and passwords.
The good news is that the data is encrypted – the hacker will not be able to access the information in a user’s vault without knowing the user’s password. The bad news is that this isn’t necessarily hard for a hacker to do with the right tools depending on the strength of the password. Password cracking software exists and can try thousands of passwords in seconds.
Update from LastPass 01/03/2023:
LastPass has released an update about both breaches as well as some recommended actions to take. The full article can be found here: https://blog.lastpass.com/2023/03/security-incident-update-recommended-actions/.
In summary, LastPass has apologised for the lack of communication around the incidents that took place, and says it is aiming to communicate better in the future. Details of how the breaches occurred is given:
- The first data breach involved the theft of development environment source code along with technical information from a software engineer’s laptop. No customer information was stolen, however it’s believed information gained was used in the second attack. Last pass then details the measures they have put in place to prevent this.
- The second data breach targeted a Dev Ops engineer and exploited a vulnerability on third-party software, and as mentioned previously gained access to information including encrypted LastPass vaults.
LastPass have released a detailed rundown of the second attack here : https://support.lastpass.com/help/incident-2-additional-details-of-the-attack including the actions taken by LastPass to prevent reoccurrence. They have also released new advice on LastPass master passwords which can be found here https://support.lastpass.com/help/security-bulletin-recommended-actions-for-free-premium-and-families-customers.
However, while LastPass confirms that stolen users’ vaults will require the master password to decrypt, what they fail to mention is that those users who’s vaults were stolen are still at risk and could be decrypted, even if their password has now been changed to align with LastPass’ advice, as mentioned in the above blog. If your LastPass master password was insecure at the time of the password breach then the ONLY way to ensure that passwords in your vault are secure is by changing every password stored in the vault.
It is important to note that so far, LastPass has seen no evidence to suggest that the data stolen is being used or sold thus far, and LastPass has received no monetary demands or contact from the attacker.
Advice from Indelible Data
I’ve changed my LastPass master password – is my vault now secure?
The safety of customers’ vaults depends largely on the complexity and sophistication of their master password to LastPass at the time of the hack. To be clear – this isn’t a case where the customer can simply log on after the hack and change their master password for LastPass to be assured that their data is safe. Remember, the hackers have managed to gain a copy of the vault data itself, meaning they need to decrypt it using the password the customer had at the time of the hack. Changing the master LastPass password now will achieve nothing.
So, if I had Multi Factor Authentication enabled – would that have helped?
Multifactor authentication is often viewed as a great way to protect your accounts from hackers trying to login to them, and for good reason. However, in this instance, MFA will not stop your information from being obtained – the hackers do not need to access you data through the usual Lastpass login portal. They already have the data. That means no MFA required and no lockout or timeout period between password attempts. All they need to do is get their password crackers to try millions of passwords until the correct one is found. And unfortunately, repetitive tasks are what computers do best.
Can I ensure none of my LastPass passwords are compromised?
To be totally sure your passwords are not breached, you would need to invalidate them – which involves changing the passwords of all the online accounts that you have stored within LastPass. That means, even when a hacker does gain access to your vault, all they can work with is out of date information.
The NCSC recommends the Three Random Words approach to password selection.
Is there a middle ground? Changing every password seems a little overkill.
If you have dozens of passwords, you could choose to take a risk-based approach and focus on these first accounts first:
- Identify those online accounts that don’t have Multi Factor Authentication.
- Consider which accounts hold sensitive information.
You can then work through the rest of your accounts and, if some accounts have long-and-strong passwords together with MFA, then some users have chosen to leave these alone (especially if the LastPass master password is also long-and-strong).
To conclude
The most recent last pass breach really highlights how important it is to have a good password, particularly for your password manager.
Customers of LastPass have no control over the cybersecurity measures of LastPass itself, and many will begin to question how secure their stored passwords are, given the recent cyber attacks. However, it is important to focus on what the user can control, and in this case, it is the sophistication of their own passwords which may prove to be the best defense against hackers, should they choose to continue using LastPass.