LastPass Hacked And Why I Have Never Used It
I have always felt the concept of LassPass as well as other password managers makes sense for users that would otherwise create simple ‘easy to remember’ passwords as opposed to long strong complex passwords with a password manager. Surely, having numerous passwords in the cloud encrypted is better than jotted down on a sticky note that resides under your keyboard, right? The reason I personally do not use password managers like LassPass is the distant fear of a major hack. What if my password manager gets hacked and a hacker gets my master password? This would be tantamount to giving a thief the keys to my front door when I am heading off to vacation.
It seems my fears, as well as many other security experts’ fears have come to fruition with the announcement that LastPass was a victim of a targeted attack in which user information was compromised. On Monday, June 15th, LastPass announced through a blog post that hackers had breached their databases and compromised email addresses and password reminders as well as encrypted master passwords. Apparently, they discovered the breach after detecting rather suspicious activity on their network.
What can hackers do with the compromised information?
Unfortunately, there is a percentage of LastPass users that will undoubtedly be the victim of targeted email phishing attacks as a result of this breach. Phishing is an effective, focused attack where the cyber thugs send victims emails with an embedded link that fools users into revealing more data. LastPass users have been informed by LastPass about this breach and they recommend that users update their LastPass master password. Cyber thieves have already keyed in on this and are no doubt, readying focused email phishing attacks that might have a message: UPDATE your LastPass master password immediately. An unsuspecting LastPass user may click on the attachment and be redirected to a site that looks awfully close to LastPass but is just there to collect more information from naive users. They would be prompted to enter their old master password and then asked to create a new complex strong secure password. Now the cyber hackers have the master password without having to steal it or decrypt it. The unsuspecting users have hand-delivered this information directly to the hacker’s servers.Even though they did not get all the encrypted individual passwords, the breach could also result in other compromises such as unlocking a user’s email account where you need the email address and password reminder allowing them to gain access to your email and a trove of other valuable private information.If the hackers are truly advanced there is a chance, although unlikely, that they can hack the encryption to crack the master password. This is extremely difficult, but then again, who would have thought a security company that provides encrypted password protection would ever be hacked in the first place? To make matters worse, this is actually the second breach that LastPass has faced. Four years ago, LastPass also faced a targeted attack.
What can LastPass customers do?
I highly recommend to anyone reading this to change your LastPass master password. Do not use passwords based on any personal information such as your spouse, child, or pet’s name, birthday, address, etc. Also make sure your password is not anything that can be easily obtained from a search or pulled from social media. Your master password should be at least 15 alphanumeric characters and have a mix of numbers, symbols, with both upper and lower case characters. Keep in mind, 80% of ALL security breaches involve stolen and weak passwords.It is important if you are accessing your LastPass account remotely or from another device to utilize multi-factor authentication. This is an added layer of security that requires a single one time password that is sent to your mobile phone as a text, for example.At the end of the day we all live in a corrupt world where cyber thieves prey on the innocent. This breach will certainly be a wake up to many users. I personally use a little black book that is kept under lock and key in a locked safe, in a locked room, in a locked building that is monitored 24/7 with cameras/DVR’s and an alarm. I change my long & strong passwords every three months and am a bit paranoid. I was not always this paranoid until my company was hacked; credit card, debit card, checking account, twitter account, web site, etc. I decided to share my trial and errors in being a victim of repeated hacks and what practical steps people can take to protect themselves.
Look for my upcoming book entitled Hacked Again and in the meantime, subscribe to my 2 Minute Cyber Security Briefing video podcast on on iTunes or Youtube for the latest cybersecurity news and tips.
SVP at AlixPartners
9 年Hmmmm. I'm not sure this isn't throwing the baby out with the bathwater. LastPass did everything they could to build a solution that would be as robust as possible even in the event of a compromise. Their servers by necessity must be publicly accessible - otherwise you'd never be able to access your stored encrypted content - which means they are also accessible to bad guys. They are also a big target due to what they do. So I would say it is almost impossible to create a cloud service and not expect to get hacked - no matter what the company. Everyone likes to bash the company that was just hacked, but ask Kaspersky just how difficult it is to protect against intruders. I agree that it is prudent to warn people about the threat of spear-phishing attacks - but this type of attack is not any more technically easier now than before the attack it's just that the company is in the news. So nothing that has happened has 'weakened' the security of LastPass in terms of spearphishing. What I do object to is the way the media (and the article above) seems to suggest that maybe the hackers have also hacked the encryption and got all your passwords! LastPass used the right hashing algorithms and individual salts per password because of this exact potential scenario. There is no reason at all to suggest that even if the attacker had your hashed password that they can calculate a rainbow table to attack just you. They would have to target just you and devote a gigantic amount of processing power just to attempt it. Even after they did that they'd have to devote the same energy to attack the next person's. It's not bad to be worried, but let's try and give people an informed and measured response to an incident like this. Scaring people with unsubstantiated claims that the encryption could be broken - just because a we server got hacked is a little bit overblown. Its hard enough to try and explain this stuff to a layman without also having to dispel hyperbole as well. Having said that, I do enjoy your reading your posts and keep up the good work. Sorry, rant over :)
Technical Information Security Officer / Security Awareness Consultant
9 年I've never used it and never will... Security and cloudsolutions, it's a poor match. QED