LastPass Breach 2022

What is LastPass?

LastPass is a popular password manager that I have been using since 2013. A password manager, in my opinion, has become something that is required if you have several passwords to remember. Password managers main “job” is to help users create long complex passwords that are not reused from site to site. The password manager is protected by a master password and stores all your other passwords. It does not come without its risks, which have become clear at the end of 2022. Having all your eggs in one basket so to speak is a risk.

What happened?

Over the course of several months LastPass was breached through multiple incidents. On August 25th, 2022, LastPass informed its customers that “an unauthorized party gained access to portions of [their] development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information.” After their investigation, in September, they concluded that there was no evidence that customer data was compromised. In an update on November 30th, LastPass again announced that they had detected unusual activity. This time the activity was with a cloud storage service, where user data was stored. Unfortunately, on December 22 an update of their blog notified customers that in fact their data, in particular their encrypted password vaults had been breached. The threat actors were able to access a backup of users’ vaults stored in the cloud service. LastPass does not indicate how many users were affected, so many in the security field assume it was all. If they had only accessed a portion of the users vaults, it is believed that LastPass would have reported a portion of. You can learn more about the two separate breaches and their response to them on their blog.

What should you do if you are or have used LastPass?

This is the tough question on many people’s minds. I have been doing a lot of research to get that answer for myself before making a decision on what I want to do and writing this blog post. There does not seem to be one solid answer from the security experts on this one. I have read many posts, reached out to someone I know in the security field, and talked to colleagues that either use LastPass or who’s opinion I thought might help me. I do not necessarily want to tell you what to do, because it really depends on a few things.

Do you have a strong master password and have you used it somewhere else? If you have a master password that follows LastPass’ current recommendations, maybe you have a reason to stay with LastPass. These best practices include having at least 12 characters with upper case, lower case, numbers, and special characters. It also should be not easily guessed. Using dictionary words that relate to something about you for example would be easy to guess for computers. The password should also be unique to you, and to LastPass. Therefore, it should not be used anywhere else. If you have a newer account, or changed your password recently, you should have this enforced. But if you have not changed your password in a while and had an account before these 12 characters became required you might still have less.

What is your encryption iterations count? LastPass, and other password managers use a function called PBKDF2 (Password-Based Key Derivation Function) to secure your master password. As of 2018, LastPass implemented 100,100 iterations as its default. The issue with this is they, like enforcing 12-character passwords did not enforce it for current users. I am not 100% sure, but I think if you changed your master password it updated the iteration count when it re-encrypted your vault. To check your iterations please follow the directions here.

Do you trust LastPass now? Based on how LastPass has responded to the breach, do you trust them? You have to make this decision on your own. Click here to read the blog post about this incident, starting with the breach in August. I recommend scrolling to the bottom and reading the August 25th post and then working your way back up to the December post. In addition, here is a link to a wiki article that lists the breaches LastPass has suffered over the last decade (scroll down to Security incidents). I also encourage you to do some research but keep in mind that some articles are written by people who were angry at the time. Take all the information you find or that I have shared here and make a decision that you feel comfortable with.

What am I doing?

This, as I mentioned above, was a hard decision. I went back and forth and at times had decided I was going to stay with LastPass, and other times thought to myself there is no way I can. In the end, I have decided that my time as a LastPass customer has come to an end. This decision was made extra difficult because I had recommended and rolled out LastPass Teams at my employer. At first, I felt terrible that over the years I have suggested family, friends, and coworkers to sign up for LastPass. Typically, I did not tell those people that LastPass was the default password manager to go with but did say that it was my choice. After some thought though, I don’t think my recommendation was bad. While it did take a turn for the worst now, based on the information that I had at the time, not only did I decide to use LastPass for almost a decade, but had no problem suggesting it for others. Since I made the decision for myself to move away from LastPass I also decided to move my employer also. Now the question you may be asking yourself is why. Why am I leaving LastPass? It was a full couple weeks of investigation, conversation, and weighing options that brought me to this decision. So, I will answer the questions that I suggested you ask yourself.

Did I have a strong master password and use best practices. This was a hard one to answer for me. Did I have a strong password? Yes, I think so. Was I sure enough to stay with LastPass? No. I did have a 12-character password with upper case, lower case, numbers, and special characters, on both my personal and business accounts. But were they easily guessed? By a computer? I was not comfortable saying yes to that question. The problem is the threat actors have my vault. It is encrypted using my master password, but they have it in an offline state. I cannot change my master password to secure the vault that was stolen. Having 2FA on my LastPass account (personal and business) has no effect on security of the stolen vault. It is off of LastPass servers and therefore it is not necessary to have the second factor to access it. They already have it. And they have as long as they want to try to crack it. They can wait 10 years until something like quantum computing has been developed and becomes a method of brute forcing their way into my vault. Once they are in, they have my entire digital life, social media, banking, shopping, technology management accounts for work, etc.

What was my iteration count. Well, this is one of the main reasons I came to my decision. I immediately checked my iteration count when I learned of this metric, and I was pleased to find that my iteration count was in fact 100,100. But that was on my work account. See, LastPass allows you to link your personal LastPass with your business account so that you can access all your passwords, personal and business without having to logout and back into the other account. Therefore, I had not logged in to my personal LastPass for quite some time. I logged in to my personal account and with much despair and anger, I found my iteration count was only 5000. Why did they not enforce this upgrade to all users? Why had I not thought to login to my personal account and change my master password over the years to keep my account secure? I do not have the answers to those questions unfortunately, and never will most likely. So, what now? Am I secure? Do I trust my master password on either account enough to risk the increasing level of expertise of these threat actors? With the knowledge that at least of my accounts had a low iteration count. I do not.

Do I trust LastPass now? First of all, you should understand that LastPass is a huge target. With over 33 million users, they have a huge target on their back. I had defended them on several occasions saying that even when they were compromised user data was not accessed. Having the knowledge about security and the potential for data breaches, I understood that they had their work cut out for them. The reason I have come to the conclusion that I do not trust them is based on their response to this incident in particular, and the fact that they did not enforce their changes in security. Starting in 2008, 8-character passwords were enough. The encryption methods they used back then were enough. LastPass made changes over time when they felt their practices were no longer enough. The problem is they didn’t enforce them. So, I have to question whether they will continue this practice of not enforcing the newest security best practices. There were times when security advisors found that LastPass was not encrypting all the data either. The URL’s that the saved logins were for were obscured, but not encrypted. This means that the threat actors know what websites I had in my vault. Unless they crack my vault, they don’t know the username or password, but they do know the sites. They can use this information to phish LastPass’ users to try to trick them into giving up their account passwords, or possibly worse, their master password.

Based on those questions I made the decision to move away from LastPass. But where do I go? Should I have a password manager? If so which one? Also, because I am not comfortable with the security of my master password, considering they have unlimited time to crack it, I will also be changing all the passwords I had saved in LastPass. That will definitely take some time.

Should you use a password manager?

Some might think that in light of the severe implications of this breach that maybe it is best not to have a password manager. I understand that thought, but to be honest it really is not one that I ever put thought into. I knew there was risk, hoped it would never happen, but here I am. But is it safer to not have one? I still think the answer is no, you still should have a password manager if you have quite a few passwords. I do not know that there is a magic number, but I had almost 500 passwords between work and personal. I can never remember those passwords. So, what options do I have with that many passwords? Some people write them down. This is a bad idea. “But no one will break into my home/office and see the paper” you might be saying, well you could be right. But, even if you are writing them down, you still have to type them. That means you probably are creating passwords that are easily typable, and easily guessed. Someone that I respect his opinion a lot on this particular topic is Scott Augenbaum. He is a retired FBI agent that worked in cybercrime. He now speaks on how you can protect yourself from cyber events by creating good strong passwords (passphrases) that are easy for you to remember but really hard for a computer to guess. I highly recommend his book “The Secret to Cybersecurity” on Amazon which describes his ideas. With as many passwords as I have though, how do I do that? I can’t. Other people use the password manager built-in to the browser that they use most. While I believe this is better than writing them down somewhere, I personally would rather trust a company that specializes in password management vs Google (Chrome), Microsoft (Edge), or Mozilla (FireFox).

What password manager should I use?

Partially because of my previous recommendations of LastPass and the current situation, I do not want to recommend a new password manager. There are many password managers out there that do a good job of protecting your passwords. Below is a list of a few of them with links to their websites. They are in alphabetical order, not order of what I think are best.

Bitwarden – https://bitwarden.com/

Dashlane – https://www.dashlane.com/

Keeper – https://www.keepersecurity.com/

LastPass – https://www.lastpass.com/

NordPass – https://nordpass.com/

1Password – https://1password.com/

Where did I get my information?

I wish I had kept better track of all the articles, blog posts, and conversations that I had to come to my decision. Below are links to the ones I can remember. Unfortunately, a lot of the conversations and in particular those defending LastPass are on social media that I cannot link. (I tried some below from LinkedIn, they may not work).

LastPass Blog – Notice of Recent Security Incident – The LastPass Blog

Wikipedia – LastPass – Wikipedia

LastPass iterations – How do I change my password iterations for LastPass? – LastPass Support

NY Times – A Breach at LastPass Has Password Lessons for Us All – The New York Times (nytimes.com)

Wired – LastPass Data Breach: It’s Time to Ditch This Password Manager | WIRED

The Verge – The LastPass disclosure of leaked password vaults is being torn apart by security experts – The Verge

Ars Technica – LastPass users: Your info and password vault data are now in hackers’ hands | Ars Technica

The Hacker News – LastPass Admits to Severe Data Breach, Encrypted Password Vaults Stolen (thehackernews.com)

Security Now – Leaving LastPass – How LastPass failed, Steve’s next password manager, how to protect yourself – YouTube

Cyber News – LastPass Review (2023): Is It Still Safe & Secure? | CyberNews

Naked Security – LastPass source code breach – do we still recommend password managers? – Naked Security (sophos.com)

1Password Blog – Not in a Million Years | 1Password