by
LastPass, a popular password manager, has suffered a major data breach, compromising customers’ personal information and putting their online passwords at risk.
In late December, LastPass CEO Karim Toubba acknowledged in a blog post that a security incident the company disclosed in August had ultimately led to an unauthorized party stealing customer account information and sensitive vault data. The breach is the latest in a long and troubling series of security incidents involving LastPass dating back to 2011.
It is also the most alarming.
An unauthorized party was able to access unencrypted subscriber account information such as LastPass usernames, company names, billing addresses, email addresses, phone numbers and IP addresses, according to Toubba. The same unauthorized party was also able to steal a copy of customer vault data, which includes unencrypted data such as URLs and encrypted data such as usernames and passwords for all the websites customers have stored in their vaults.
If you’re a LastPass subscriber, the severity of this breach should prompt you to look for another password manager, because your passwords and personal data are at serious risk of being exposed.
What should LastPass subscribers do?
The company did not specify how many users were affected by the breach, and LastPass did not respond to CNET’s request for further comment on the breach. However, if you are a LastPass subscriber, you must operate under the assumption that your user and vault data is in the hands of an unauthorized party with bad intentions. Even if the most sensitive data is encrypted, the problem is that the threat actor can run “brute force” attacks on the stolen local files. LastPass estimates that it will take “millions of years” to guess your master password—if you’ve followed its best practices.
If you don’t have it – or if you just want total peace of mind – you’ll need to spend some time and effort changing your individual passwords. And while you’re doing it, you’ll probably want to move away from LastPass, too.
With that in mind, here’s what you need to do right now if you’re a LastPass subscriber:
1. Find a new password manager. Given LastPass’ history of security incidents and considering the severity of this latest breach, now is a better time than ever to find an alternative.
2. Change your most important site-level passwords immediately. This includes passwords for everything such as online banking, financial records, internal company logins and medical information. Make sure these are new passwords are strong and unique.
3. Change every single one of your other online passwords. It’s a good idea to change your passwords in order of importance here as well. Start by changing the passwords to accounts like email and social media profiles, then you can start working your way down to other accounts that may not be as critical.
4. Enable two-factor authentication where possible. Once you’ve changed your password, be sure to do so enable 2FA on any online account that offers it. This will give you an extra layer of protection by notifying you and requiring you to approve each login attempt. That means that even if someone ends up getting your new password, they shouldn’t be able to access any given website without your secondary authentication device (usually your phone).
5. Change your master password. While this doesn’t change the threat level of the stolen vaults, it’s still wise to help mitigate the threats of any potential future attack — that is, if you decide to stay with LastPass.
LastPass Alternatives to Consider
- The Bitwarden: CNET’s top password manager is a highly secure and open source LastPass alternative. Bitwarden’s free tier allows you to use the password manager across an unlimited number of devices across device types. Read our Bitwarden review.
- 1Password: Another excellent password manager that works seamlessly across platforms. 1Password doesn’t offer a free tier, but you can try it for free for 14 days.
- iCloud Keychain: Apple’s built-in password manager for iOS, iPadOS, and MacOS devices is an excellent LastPass alternative available to Apple users at no additional cost. iCloud Keychain is secure and easy to set up and use on all your Apple devices. It also offers a Windows client with support for Chrome and Edge browsers.
How did it come to this?
In August 2022, LastPass published a blog post written by Toubba that said the company “determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of the source code and some proprietary LastPass technical information.”
At the time, Toubba said the threat was contained after LastPass “engaged a leading cybersecurity and investigative firm” and implemented “enhanced security measures.” But that blog post would be updated several times over the following months as the scope of the breach gradually expanded.
On September 15, Toubba updated the blog post to notify customers that the company’s investigation into the incident had concluded.
“Our investigation revealed that the threat actor’s activity was limited to a four-day period in August 2022. During this time frame, the LastPass security team detected the threat actor’s activity and subsequently contained the incident,” Toubba said. “There is no evidence of any threat actor activity beyond the established timeline. We can also confirm that there is no evidence that this incident involved access to customer data or encrypted password vaults.”
Toubba assured customers at the time that their passwords and personal data were safe in LastPass’ care.
However, it turned out that the unauthorized party was actually eventually able to access customer data. On November 30, Toubba updated the blog post once again to notify customers that the company “determined that an unauthorized party, using information obtained in the August 2022 incident, was able to access certain elements of our customers’ information”.
Then, on Dec. 22, Toubba provided a lengthy update to the blog post detailing the unnerving details regarding exactly what customer data the hackers accessed in the breach. That’s when the full severity of the situation finally emerged and the public found out that LastPass customers’ personal information was in the hands of a threat actor and that all of their passwords were at serious risk of being exposed.
Still, Toubba assured customers who follow LastPass’ password best practices and have the latest defaults enabled that no further action on their part is recommended at this time since their “sensitive vault data, such as usernames and passwords, secure notes, attachments and form-fill fields, remain safely encrypted based on LastPass’ Zero Knowledge architecture.”
However, Toubba warned that those who don’t have LastPass’s default settings enabled and don’t follow password manager best practices are at greater risk of having their master passwords cracked. Toubba suggested that these users should consider changing the passwords to the websites they have saved.
What does all this mean for LastPass subscribers?
The first breach resulted in the unauthorized party gaining access to sensitive user account data as well as vault data, meaning that LastPass subscribers should be extremely concerned about the integrity of the data they have stored in their vaults and should question LastPass’s ability to keep your data safe.
If you are a LastPass subscriber, an unauthorized party may have access to personal information such as your LastPass username, email address, phone number, name and billing address. IP addresses used to access LastPass were also exposed in the breach, meaning the unauthorized party could also see the locations you accessed your account from. And because LastPass doesn’t encrypt users’ saved URLs, the unauthorized party can see all the websites you’ve saved login information for with the password manager (even if the passwords themselves are encrypted).
Information like this gives a potential attacker plenty of ammunition to launch a phishing attack and socially engineer their way to your account passwords. And if you’ve saved any password reset links that might still be active, an attacker could easily go ahead and create a new password for themselves.
LastPass says that encrypted vault data such as usernames and passwords, secure notes and form-filled data that was stolen remains secure. However, if an attacker were to crack your master password at the time of the breach, they would be able to access all of this information, including all of your online account usernames and passwords. If your master password was not strong enough at the time of the breach, your passwords are particularly vulnerable to exposure.
Unfortunately, changing your master password now will not help solve the problem because the attackers already have a copy of your vault that was encrypted with the master password you had in place at the time of the breach. This means that the attackers essentially have unlimited time to crack the master password. That’s why the safest course of action is to reset passwords for all LastPass saved accounts. Once changed at the site level, it would mean the attackers would get your old, outdated passwords if they managed to crack the stolen encrypted vaults.
For more on how to stay safe online, here tips about privacy digital security experts wish you knew and browser settings to change to better protect your information.
