The password manager’s most recent data breach is so concerning, users need to take immediate steps to protect themselves.
YOU’VE HEARD IT again and again: You need to use a password manager to generate strong, unique passwords and keep track of them for you. And if you finally took the plunge with a free and mainstream option, particularly during the 2010s, it was probably LastPass. For the security service’s 25.6 million users, though, the company made a worrying announcement on December 22: A security incident the firm had previously reported (on November 30) was actually a massive and concerning data breach that exposed encrypted password vaults—the crown jewels of any password manager—along with other user data.
The details LastPass provided about the situation a week ago were worrying enough that security professionals quickly started calling for users to switch to other services. Now, nearly a week since the disclosure, the company has not provided additional information to confused and worried customers. LastPass has not returned WIRED’s multiple requests for comment about how many password vaults were compromised in the breach and how many users were affected.
The company hasn’t even clarified when the breach occurred. It seems to have been sometime after August 2022, but the timing is significant, because a big question is how long it will take attackers to start “cracking,” or guessing, the keys used to encrypt the stolen password vaults. If attackers have had three or four months with the stolen data, the situation is even more urgent for impacted LastPass users than if hackers have had only a few weeks. The company also did not respond to WIRED’s questions about what it calls “a proprietary binary format” it uses to store encrypted and unencrypted vault data. In characterizing the scale of the situation, the company said in its announcement that hackers were “able to copy a backup of customer vault data from the encrypted storage container.”
“In my opinion, they are doing a world-class job detecting incidents and a really, really crummy job preventing issues and responding transparently,” says Evan Johnson, a security engineer who worked at LastPass more than seven years ago. “I’d be either looking for new options or looking to see a renewed focus on building trust over the next few months from their new management team.”
The breach also includes other customer data, including names, email addresses, phone numbers, and some billing information. And LastPass has long been criticized for storing its vault data in a hybrid format where items like passwords are encrypted but other information, like URLs, are not. In this situation, the plaintext URLs in a vault could give attackers an idea of what’s inside and help them to prioritize which vaults to work on cracking first. The vaults, which are protected by a user-selected master password, pose a particular problem for users seeking to protect themselves in the wake of the breach, because changing that primary password now with LastPass won’t do anything to protect the vault data that’s already been stolen.
Or, as Johnson puts it, “with vaults recovered, the people who hacked LastPass have unlimited time for offline attacks by guessing passwords and attempting to recover specific users’ master keys.”
This means that LastPass users should go through their vaults and take extra steps to protect themselves—including changing all of their passwords.
Start by turning on two-factor authentication for as many of your accounts as possible, particularly high-value accounts like your email, financial services, and highly used social media accounts. This way, even if attackers compromise the passwords for the accounts, they can’t actually log in without the one-time code or hardware authentication key you’ve added as the second factor. Next, change the passwords for all of those sensitive and high-value accounts. And then change all the remaining passwords stored in your LastPass vault.
As you’re doing all of this (or at least as much of it as you can), the time is ripe to switch to a new password manager. You can add accounts to the new service as you change them. WIRED recommends 1Password and the free service Bitwarden, along with some alternatives. We haven’t recommended LastPass since the company scaled back its free offerings a couple of years ago, given that LastPass had suffered an array of past security incidents before this latest, most dire breach was even revealed.
“One hundred percent, yes, people should switch to other password managers,” says one senior security engineer, who asked not to be named because of professional relationships with people on the LastPass security team. “They failed to do the one thing they are supposed to provide—cloud-based secure credential storage.”
Security practitioners universally emphasize that the situation with LastPass shouldn’t deter people from using password managers in general. And if you’re a loyal LastPass user, you should still change your vault password, turn on two-factor authentication for every account that offers it, and change all the passwords in your vault, even if you don’t migrate somewhere else in the process.
“As someone with experience handling and communicating EU data breach notifications, I’d say that LastPass’s chosen communication strategy may undermine user confidence,” says Lukasz Olejnik, an independent privacy researcher and consultant. “The big issue is also the timing. Why do it just prior to the end-of-year holidays, when the initial investigation began months ago?”
As Jeremi Gosney, a longtime password cracker and senior principal engineer of the Yahoo security team, wrote this week in an extensive series of posts about the situation: “I used to support LastPass. I recommended it for years and defended it publicly in the media … But things change.”
Click here to view the full article on WIRED.com.