The LastPass Security Breach: What You Need To Know
For years, I've extolled the virtues of password managers. The benefits are powerful -
But that's a lot to entrust to a password manager. And unfortunately, LastPass - one of the largest password managers with over 25 million users as of 2020 - dropped a lump of coal in their customers' stockings right before Christmas. On December 22, LastPass acknowledged a recent cyberattack had resulted in the theft of customer data.
What Was Taken?
I think most people envision their LastPass vault as a sort of encrypted database where the entire file is protected, but no -- with LastPass, your vault is a plain text file and only a few select fields are encrypted. So what parts of a LastPass vault are encrypted and which parts aren't?
Encrypted:
Not Encrypted:
? Website URLs
? Basic customer information such as -
? Company names
? End User names
? Billing addresses
? Email addresses
? Telephone numbers
领英推荐
? IP addresses from where users accessed LastPass
What Wasn't Stolen?
? Users' master passwords ? Credit Card info
Are You At Risk?
TL:DR - If you're a LastPass user, you betcha!
Let's start with the stuff that's easy for the bad guys - the information that isn't encrypted. Bad guys LOVE juicy pieces of information like IP addresses, what websites you visit, telephone numbers, and physical addresses. This seemingly?insignificant information says a lot about you and allows bad guys to build targeted phishing and other cyber attack campaigns. So at a minimum, you will need to be on guard for increased phishing, smishing (phishing via SMS texts), and other social engineering attempts.?
But My Vault Is Encrypted, Right?
Yep. Usernames and passwords and the other info discussed earlier are indeed encrypted. That is to say that your vault can't be unlocked without your master password. In their statement, LastPass claims if you created your master password using their guidelines for password length and strengthening - and haven't used that password anywhere else - "it would take millions of years to guess your master password using generally-available password-cracking technology”. While this is theoretically so, a sizable leap of faith is required for this to be true in practice. First, it assumes that you followed their guidelines for creating your master password. The problem is that those are just guidelines. If you've had your account since before 2018 they allowed you to create a master password with as few as 8 characters and passwords that are trivial to guess. Second, password guidelines change over time . Cyber threats evolve and how we recommend countering them must change as well. What was considered a strong password 5 or more years ago isn't so strong anymore. If you created your master password long ago using the minimum guidelines in place at the time, it's probably not very robust by 2023 standards. Finally, we tell people all the time that with the right combination of time, talent, and motivation, any system can be breached. Well. . .the bad guys have copies of the vaults in their hands. So they have all the time in the world to try to crack your password. I also expect that LastPass vaults will start appearing for sale on the dark web. So they can potentially be acquired by increasingly talented bad guys. So, yes, your vault is encrypted. But for the reasons we outlined, I think prudence demands we assume that every LastPass vault will be compromised. The vaults with weak master passwords will be first, but I think it will be a matter of when, not if, for the rest.?
So What To Do?
The best course of action is to assume that your LastPass vault will be compromised eventually. So it's important that you take steps to protect yourself. The most immediate thing to do is to change the master password on your LastPass account. It won't change what's already in the hands of bad guys, but it will help mitigate any new breach. Seriously, do it now. I'll wait.
Next. . .look at all of the passwords you have in LastPass. Now, go log into each of those and change/reset the passwords on all of them. No, I'm not kidding! Yes, it's going to be a total pain in the ass. I know - because I set up a trial of LastPass earlier this year and I too had a vault there. So I have a couple hundred passwords to change. But the best thing you can do at this point is to make sure that if/when the bad guys crack the password on their copy of your vault all they're left with is outdated data.
Finally. . .I don't often to tell folks to avoid a product. But I'm making an exception in this case. Please plan to move away from LastPass. LastPass has had 7 major security breaches in the last 10 years. A track record that is. . .not good. And the cloud really isn't the problem. The problem is that LastPass didn't do enough to protect the data - regardless of where the data was living.
There are plenty of other password managers out there. My recommendation is 1Password. I've been using them for years and it has been extremely solid. What's more, if the bad guys get my 1Password vault my master password won't be enough. 1Password secures users vaults with both a master password AND a 34-character secret key unique to each account.
If you have questions or concerns about LastPass or you would like more information about 1Password, just drop us a line at [email protected] and we'll be glad to help.?
? Form-Filled Data?
Chief Marketing Officer | Product MVP Expert | Cyber Security Enthusiast | @ GITEX DUBAI in October
1 年Mike, thanks for sharing!