And why it’s important to read beyond the headlines.
I received several comments in late August, 2022 from a variety of sources after the announcement that LastPass had suffered a breach. The comments ranged from “I’ll be interested to see what you have to say” to “Now that LastPass has been hacked again, what should we use instead?”
Here’s the thing: it’s important to read beyond the headlines. Taking alarmist headlines at face value without understanding the relevant details can lead you to make unnecessary decisions.
For my part? I’m continuing to use LastPass. I’ll explain why, and what I think you should do.
Become a Patron of Ask Leo! and go ad-free!
The LastPass hack
The reported hack into LastPass does not involve any user data and does not warrant abandoning LastPass. LastPass was forthright in publicizing the breach. However, trust is critically important when using a password vault. So even if this unnecessarily causes you to lose trust in LastPass, there are many excellent alternatives.
It’s all about trust
I want to start by saying that trust is important. You need to trust the password vault or password manager you choose to use.
The reason is fairly simple: if you don’t trust the software, you’re less likely to use it.
It’s important that you use a password manager.
Therefore, it’s important you trust your password manager.
If this or any other situation leads you to trust LastPass (or any software) less, then use something else that you do trust. In the case of LastPass, that means investigating a different password manager.
I totally understand why, reacting only to the headlines and without understanding the details, you might feel like you need to make a switch. I have an upcoming article on exactly which password managers you might want to consider. There are many decent and reliable alternatives.
But LastPass remains at the top of my list.
LastPass disclosed the breach here. In short, the account of a LastPass developer was compromised. Using that account, hackers were able to get into LastPass source code. Apparently some of it was stolen, and some of it contained what LastPass considered to be trade secrets.
The important thing to realize about the breach is that no user information was compromised. In other words, as a LastPass user, my account credentials were not compromised, my LastPass vault was not compromised, my LastPass stored information was not compromised, and none of the entries in my LastPass database were compromised.
LastPass’s announcement goes into more detail, but the bottom line for the average user is that you are not affected.
LastPass made this information public. They were forthcoming about the details of the breach. They provided a detailed FAQ that consumers can refer to understand exactly how worried they should be.
My take is that LastPass has done the right thing. This increases my confidence in LastPass to do the right thing in the future should anything ever happen again.
What’s the risk?
That’s not to say that there isn’t risk here. The risk is not imminent, but it does exist.
Without knowing the details of exactly what the hackers stole in terms of source code, it’s difficult to assess the risk. The implications could be completely benign. On the other hand, the trade secrets that were supposedly included in the breach could potentially allow a hacker to better understand how LastPass works and how they might exploit any vulnerabilities they discover.
Pretty much like open-source software.
I trust LastPass to understand what’s been taken, understand the risks of what’s been exposed, and take remedial action should that be appropriate.
Why I’m not worried
One of the things that’s important to realize about software development is that it rarely happens on live systems.
What that means is that while making changes to software for an online service such as LastPass, the changes are made in a separate, isolated environment that does not have access to “real” live data. Even if a hacker successfully accessed a developer’s account, it’s highly unlikely that that developer had access to live data.
So the hacker did not have access to our password vaults.
But what if they did?
Even LastPass can’t see your data
One of the features of most password vaults is that they do not store your password and have no way of decrypting your vault until you supply that password when you sign in. So a hacker, even if they were able to grab a copy of your encrypted vault, would be unable to view its contents.
I’ll say that again: a hacker who gains access to your password vault on LastPass’s servers cannot view its contents. Period.
And I’ll also say this again: that did not happen in this breach. No user data was exposed.
You do not need to abandon LastPass. I am not abandoning LastPass.
However, trust matters. If you no longer trust LastPass, I have an upcoming article that discusses several reliable and trustworthy alternatives, such as Bitwarden, 1Password, and KeePass.
Want more pragmatic answers without the clickbait hype? Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.