LastPass Data Breach: What Happened and What You Need to Know
This LastPass announced a security incident on their blog which you can read here.
If you aren’t familiar with LastPass, they offer a few different products, but their primary product is a password manager. What is a password manager? Essentially, it is a vault that you secure with your master password. The contents of that vault are all of the users’ site passwords. Password managers are generally a great product, especially when used correctly, but just like any other technology company, they are constantly under attack from various unscrupulous individuals who would love to see the contents of your vault. And just like any other technology company security is a difficult and major burden that they must face every minute of every day.
Hackers obtained data as a result of the LastPass security incident
Going back to the specific article:
Based on our investigation to date, we have learned that an unknown threat actor accessed a cloud-based storage environment leveraging information obtained from the incident we previously disclosed in August of 2022. While no customer data was accessed during the August 2022 incident, some source code and technical information were stolen from our development environment and used to target another employee, obtaining credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service.
https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/
From a developer’s perspective, I read this like a member of their team exposed the development environment likely to the public due to a misconfiguration. As a result, they were able to use the information they obtained to “target” an employee. This could have been through having direct access to a machine that the user was utilizing or they could have done something like found the user and then launched a phishing attack against them to steal more credentials.
Either way, the lastpass security incident allowed the hacker was able to obtain some critical personal user information:
… the threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.
https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/
LastPass security lapse compromises customer vault
Not only that but to make matters even worse the hacker was able to get access to the entire customer vault. This is a serious issue and a major violation of consumer trust in my opinion. Even if you’ve encrypted your vault, if you have a weak master password or don’t have 2 Factor Authentication on your primary account, you should be extremely concerned because the weaker your password the more susceptible it will be to a brute force attack.
If you do use LastPass and aren’t using 2FA I suggest you immediately set that up on your primary accounts. Things like bank accounts, payment accounts, social media, or any other account that if exposed could cause you serious financial or personal harm. I’ve written a series on 2FA. You can read part 1 here and part 2 here.
Should you be using LastPass after the data breach?
Even though there was a recent security incident I still believe LastPass is a viable option for password management. Although I prefer using Bitwarden over LastPass. It’s important to remember that even these tools created to make things like security and privacy easier sometimes come with their own risks which you wouldn’t be subject to without them.
The big issue with password management is that it centralizes all of your passwords in one location. Clearly, as an end user that makes for a great experience, but the security-minded will immediately point out the risk of having all of your eggs in one basket and they aren’t wrong. If you store everything in one place that means that a hacker only has to gain access to that one place before getting keys to the kingdom.
However, that doesn’t mean you shouldn’t use a password manager. But if you are going to use one it is imperative that you secure your account.
2 things you can do to keep your passwords safe
Here are 2 things you can do to make sure your accounts are secure inside a password manager.
Create a strong master password
LastPass recommends a 12-character minimum master password and I agree. I’d also suggest using a combination of capital and non-capital letters, as well as numbers and symbols in your password. The stronger your master password the harder it will be for hackers to decrypt your vault, as a matter of fact, LastPass says that by using the default settings in the password manager it will take “millions of years” to guess your password and I don’t doubt that is true.
Set up multi-factor authentication
If multi-factor authentication weren’t a thing, I wouldn’t use a password manager. I view this as my primary source of security on my password manager. I also recommend that this be a physical key or an authenticator app and not SMS-based authentication. 2FA will make it so that if the user doesn’t have your device they cannot access your account even if they do have your password.
How does this help you?
Well in the case above even if they can gain access to your encrypted passwords and defeat your master password, you’ll still have 2FA on those accounts as a last line of defense. Hackers will not be able to gain access to your passwords unless they have your physical key or your authenticator app.
Keep in mind that you need to set up 2FA on your Password Manager as well as on any other high-priority accounts for this to be effective.
What’s next for LastPass?
Password managers have come a long way in the last 10 years and I’m sure the tech will continue to evolve as the years go on. Right now it’s a relatively safe technology as long as you are following the steps laid out above, but I suspect that companies like this will continue to improve and invest in their security infrastructure so that events like this don’t continue to happen.
It’s something to keep a close eye on though. If this starts to become a pattern of events for any company it may be time to move on to a company with fewer leaks and violations of consumer privacy. To be honest though, if this continues for them, you won’t have to leave because if LastPass cannot get it together then they won’t be around for long. This is true for any company in the privacy and security space that isn’t maintaining user privacy and security. For today though I don’t think it’s the final nail in the coffin, but it’s something I’ll be watching in the future.
Again, if you do use LastPass I suggest you take the steps above to make sure your major accounts are protected. Don’t risk a bad actor getting into your bank accounts and exposing your life’s savings.
Stay safe readers!
Good to know!