It might be the last straw for some.
After years of being able to say this had never once happened, we can no longer say that.
I want to talk about why it’s not a reason to panic, (unless your own security was lax), but that it might be a time to re-evaluate my recommendation of, and your use of, LastPass.
Become a Patron of Ask Leo! and go ad-free!
What to do about the LastPass breach
Personal information and encrypted data was stolen from LastPass. If you have a weak LastPass master password, you are at some slight risk of your vault information being compromised, so you should begin changing passwords. Vaults protected by strong master passwords remain secure. You don’t need to leave LastPass, but it’s understandable that you might. Do not avoid password vaults completely, however; choose an appropriate replacement instead.
What to do
To cut to the chase:
- If your LastPass master password was appropriately strong, you don’t need to do anything. The contents of your password vault are not at significant risk.
- If your LastPass master password is not appropriately strong, consider changing the passwords of all “important” accounts stored in your vault as soon as possible, and all accounts eventually.
And if, like me, you’re beginning to lose faith in LastPass, it might be time to consider a switch.1
The most important thing to know is that you don’t have to do anything, or switch immediately, or switch in a panic. Unless you don’t have a strong master password as described above, your information remains secure, and you can take your time to make a reasoned choice.
It’s a long saga. Here’s the key paragraph from the LastPass blog post:
Based on our investigation to date, we have learned that an unknown threat actor accessed a cloud-based storage environment leveraging information obtained from the incident we previously disclosed in August of 2022. While no customer data was accessed during the August 2022 incident, some source code and technical information were stolen from our development environment and used to target another employee, obtaining credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service.
- In August, someone hacked into their network.
- Technical information was stolen, but no actual customer information was compromised at that time.
- That technical information was used to successfully phish a LastPass employee.
- The attacker gained access credentials from that employee to the information stored by LastPass.
- That allowed the attacker to steal some information.
While it’s unclear how many LastPass users are affected, they do go on to list the types of information stolen:
- Company names
- End-user names
- Billing addresses
- Email addresses
- Telephone numbers
- IP addresses from which customers were accessing LastPass
- URLs of websites for which passwords had been saved
- A backup of customer vault data
It’s the last one that has everyone concerned.
What did NOT happen
The attacker did not gain access to the unencrypted contents of any vaults. In other words, the attacker did NOT gain access to the information you and I store in our LastPass password vaults.
All they got was an encrypted blob that contains that information. Without the decryption key — your master password — they cannot access the contents of your vault. And LastPass does not know, nor do they store, your master password. Only you know it, and it’s only used on your device when you sign in to LastPass.
It’s unlikely, but possible.
It’s unlikely because the other breached information is more likely to be used successfully with much less effort on the hacker’s part.
What’s more likely to happen
By that I mean the combination of information that was compromised, like your name, email address, and knowing what services you have accounts with, can be used to mount what is likely to be a very convincing phishing attack. Conceptually, you would get an email that looks very legitimate, addressing you by name and including other accurate personal information in an attempt to fool you.
Some percentage of those attacks will likely be successful, much like the LastPass engineer was fooled, I would assume.
Why I’m disappointed
It’s very possible — likely even — that this was just a series of unfortunate events at LastPass. It’s possible that they’ve been as appropriately transparent as they could be about what’s been happening along the way.
I’m reluctant to “punish” them for transparency. As someone pointed out to me, just because a company reports no security incidents doesn’t mean there are no security incidents. Responsible disclosure should be applauded.
Some of the steps in the series of events seem as though they should have been avoidable. I could be wrong. Some of the information seems like it should have been made public sooner. I could be wrong about that as well.
And while I’m in no way a conspiracy guy, I have a hard time arguing with those that point out the update by LastPass was suspiciously timed regarding the Christmas holiday, when so many people — most notably journalists who might make an even bigger deal of this — are less likely to act or publish.
Nothing requires our trust more than the software we use to store secure information.
Our trust in LastPass is being eroded.
Don’t panic, but do review your security.
If you’ve been using a weak master password, now’s the time to start changing passwords for the accounts in your vault. Take this as an opportunity to do it correctly: long, strong passwords, unique to each site. While you should change your LastPass master password to something secure as well, that won’t help the current situation; that horse has left the barn.
Now is also a good time to revisit adding two-factor authentication to your accounts that support it. Then, even if an account password is compromised, the hackers still can’t get in.
I don’t believe you need to leave LastPass, but I understand if you decide you do. As I said, trust is critical. I expect to evaluate and make a new recommendation in the coming weeks.
What you should not do is stop using password managers altogether. A password manager is still significantly safer than any of the alternatives.
Update: Long time tech journalist Ed Bott reminded me of something in his Substack post he apparently wrote at the same time as I was drafting this article. From Is it time to replace your password manager?
LastPass got gobbled up by LogMeIn back in 2015. And then in 2021, LogMeIn announced it was planning to spin LastPass off as a separate company. Astute observers of the software industry know that this playbook rarely works out well. At the very best, your employees are distracted by the whole M&A song and dance. At worst … well, here we are.
Honestly, I’d not considered how the whole LastPass ownership game of hot potato might affect what’s happening within the company. It’s another reason, albeit without hard evidence, to at least be concerned.
Footnotes & References
1: I don’t yet have a specific recommendation, but I’m researching it. There are several good alternatives.