LastPass users must act now in order to protect themselves
One of the most important cybersecurity best practices is to use a password manager. If you opted for one of the top 3, LastPass may have been the choice. On December 22, LastPass made a grave announcement for their 25.6 million users: the November 30 data breach which had been reported was much more serious than originally thought, compromising the encrypted passwords and other user information. The information supplied by LastPass is so concerning that security experts recommend immediately changing all passwords for all passwords, especially passwords for sensitive or financial accounts, stored in LastPass. It has been almost one week since the announcement, yet the organization has not given extra details to concerned customers. WIRED reached out to LastPass multiple times for a comment on the number of password vaults breached and how many users were affected, however no response was received.
LastPass Hasn’t Offered Any Clarification
LastPass yet to announce as to when the breach happened. The exact date of the password vault hack is uncertain, but it is believed to have been after August 2022. An important concern is how long it will take for attackers to figure out the encryption keys used to protect the vaults. If hackers have had access to the stolen data for three to four months, LastPass users need to act fast to protect their accounts more so than if hackers had only a short period of time. WIRED asked LastPass about the “proprietary binary format” it uses to save encrypted and unencrypted vault information, but they did not respond.
What Did the Hackers Get?
LastPass said in its announcement that hackers were “able to copy a backup of customer vault data from the encrypted storage container.” Evan Johnson, a former engineer of LastPass said, “In my opinion, they are doing a world-class job detecting incidents and a really, really crummy job preventing issues and responding transparently. I’d be either looking for new options or looking to see a renewed focus on building trust over the next few months from their new management team.” The breach also includes other customer data, including names, email addresses, phone numbers, and some billing information. And LastPass has long been criticized for storing its vault data in a hybrid format where items like passwords are encrypted but other information, like URLs, are not. In this situation, the plaintext URLs in a vault could give attackers an idea of what’s inside and help them to prioritize which vaults to work on cracking first. The vaults, which are protected by a user-selected master password, pose a particular problem for users seeking to protect themselves in the wake of the breach, because changing that primary password now with LastPass won’t do anything to protect the vault data that’s already been stolen. Or, as Johnson puts it, “with vaults recovered, the people who hacked LastPass have unlimited time for offline attacks by guessing passwords and attempting to recover specific users’ master keys.”
Recommendations for LastPass Users
LastPass users should go through their vaults and take extra steps to protect themselves. Here’s our recommendations:
- Change all passwords for all accounts stored in LastPass, including your LastPass vault password
- Turn on 2-factor authentication (2FA) and/or multi-factor authentication (MFA) for the following:
– e-Mail, personal and professional
– Financial Services
– Social Media Accounts like Facebook, Pinterest, YouTube, etc
– Mobile Device Accounts with Verizon, T-Moble, Sprint, etc
– Any and all websites you access ie Amazon, Macy’s, USPS, UPS, Spotify, Etsy, Udemy etc
- Switch to a new password manager.
You can review other recommended password managers at CyberNews.
Are You at Risk?
Possibly. All LastPass users may face a security risk.
Information stolen by the hacker included customer metadata, such as business names, individual names, mailing addresses, email addresses, telephone numbers and IPs of people using LastPass services.
Additionally, both encrypted and unencrypted customer vault data were replicated. This included website credentials, secure notes, form data, and partial credit card details. As these components stayed encrypted because the encryption key can only be acquired via the user’s main password using LastPass’s unique (Zero Knowledge) design. The encrypt/decrypt process is able to occur exclusively on the company’s account within the LastPass client. The non-encrypted material contained website URLs and incomplete credit card information; albeit, LastPass does not spare or archive entire credit card info in their repositories.
Malicious actors possess key information from LastPass and they will take advantage of gaining more information through social engineering and brute-forcing attacks that may result in stolen credentials from customers.
Don’t Lose Faith in Password Managers
A senior security engineer who asked to be anonymous due to the sensitivity of the LastPass breach said, “One hundred percent, yes, people should switch to other password managers. LastPass failed to do the one thing they are supposed to provide cloud-based secure credential storage.”
Experts in the cybersecurity industry universally emphasize that the situation with LastPass shouldn’t deter people from using password managers in general.
Lukasz Olejnik, an independent privacy researcher and consultant said, “As someone with experience handling and communicating EU data breach notifications, I’d say that LastPass’s chosen communication strategy may undermine user confidence.” Additionally, Olejnik “The big issue is also the timing. Why do it just prior to the end-of-year holidays, when the initial investigation began months ago?” A member of Yahoo’s security team, Jeremi Gosney, who is skilled as a password cracker and senior principal engineer there, wrote this week about the LastPass issue: “I used to support LastPass. I recommended it for years and defended it publicly in the media… But things change.”
Recommendations from Barracuda MSP
Review these recommendations to limit the impact of this LastPass security incident:
- Review the password policies outlined by LastPass (https://support.lastpass.com/help/what-is-the-lastpass-master-password-lp070014)
- Ensure Federated Login Services by LastPass are implemented into your business (https://support.lastpass.com/download/lastpass-technical-whitepaper)
- Conduct phishing campaigns and trainings onto your organization to create awareness of social engineering attacks
- Audit and take inventory of user/admin accounts and their access to LastPass
- Review LastPass’s Zero Knowledge architecture (https://www.lastpass.com/security/zero-knowledge-security)
- Be informed on the latest updates to LastPass’s security incident (https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/)