SPECIAL: LastPass Breach

[UPDATE, Jan 11: I added some further resources to the bottom of the article. Check back periodically.]

The recent LastPass breach notification is very troubling, though maybe not for the reasons you’d expect. This is going to be a long post, but I think it’s important to go through this thoroughly. NOTE: Even if you don’t use LastPass – even if you don’t use a password manager at all – I think you should still read through this article. Also, this should NOT dissuade you from using a password manager… though you should probably choose something besides LastPass. Please read and share this post with others. (Note also that I just interviewed a top security expert from the US Cybersecurity and Infrastructure Security Agency (CISA) about this breach, which you can listen to here.)

This is an ongoing investigation and there are still things we don’t know yet – probably because even LastPass doesn’t know yet. So keep that in mind as you read this. I will try to update this article if significant new details emerge.

LastPass Breach: What Happened?

LastPass has documented its findings in a series of blog articles, which you can find here. Here’s the short version. LastPass reported a network breach in August. In a September update they claimed that the breach was “limited to the LastPass Development environment in which some of our source code and technical information was taken”. Crucially, they also said that there was “no evidence that this incident involved any access to customer data or encrypted password vaults”.

However, two months later in November, LastPass notified its customers of some “unusual activity within a third-party cloud storage service”. They said that they “have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information.” They then immediately claimed that “our customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture”.

But on Dec 22, LastPass dropped a bombshell. It appeared that the initial breach of the developer account in August allowed the threat actor to copy customer information from this backup service, including some account information, a good bit of vault metadata, and the encrypted password vaults themselves. LastPass loudly claimed (in boldface type) that “[t]hese encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass.” They also claimed that “[t]here is no evidence that any unencrypted credit card data was accessed”.

What Data Was Stolen?

According to LastPass, the threat actors stole the following information:

• “basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service”
• “a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.”

That’s about as bad as it gets. The only way it could have been worse is if the vault backups were somehow not encrypted or the encryption was badly flawed. But given that the vault was encrypted, the encrypted data is theoretically safe, even in the hands of bad guys – unless you used a really crappy password that the threat actors would be able to eventually guess. That’s a pretty important qualification and is the main threat here, which we’ll get into shortly.

But it turns out that not every piece of information in your vault was encrypted. This absolutely blew my mind. I had certainly assumed that everything in the vault was encrypted – why wouldn’t it be?? This is a question LastPass has yet to answer. What also blows my mind is that we somehow didn’t know this until now, with all the scrutiny LastPass surely must have received from security researchers. Anyway, that leads us to the next question…

What Data Was Not Encrypted?

I guess we should start by saying that the important stuff all appears to be encrypted: the username and password, the name you gave the vault entry, and any notes associated with the entry. Also, the folder name for each entry is encrypted, if you used folders to organize your vault.

The LastPass blog article only mentions one field as being unencrypted: the “website URLs”, or the web addresses associated with each account. This alone is bad news. The URL list gives away every website where you have an account. First of all, this could be a privacy nightmare if you happen to have accounts at pornhub.com, ashleymadison.com, aa.org or some other sensitive sites. Second, it tells the bad guys where to focus their efforts – either in trying to crack specific passwords or targeted phishing attacks. There is no excuse for this and LastPass must fix this immediately (though it’s obviously too late for all their current users).

But it turns out that there were many other pieces of important metadata that were also not encrypted for some unfathomable reason, including:

• Account website URL
• Generated
• Favorite
• Note type
• Shared with others
• Last Modified
• Breached
• Form fields

That’s some pretty useful information to an attacker. I just cannot understand why this information was not encrypted.

How Do I Know If I Was Affected?

The LastPass blog article was not 100% clear on this, unfortunately. But at this point I would assume that all current LastPass users as of 2-3 months ago would be affected by this. I think it’s also wise at this point to assume that any and all past LastPass customers could also be affected by this, unless you specifically deleted your account or purged your vault.

You should have gotten an email from LastPass about this, though it would have been very easy to miss. Another LastPass failure here, in my view, is that they didn’t do a good job of notifying customers. I think your LastPass plugin or app should have a big red badge on it indicating an important notification, or even a pop-up dialog. Also, the fact that they released this right before Christmas was poor timing, bordering on suspicious. Companies often dump bad news right before the weekend or over the holidays in an attempt to minimize unfavorable news coverage. This has the added effect of minimizing awareness for the true audience: the customers.

Is My Encrypted Data Safe?

If you are (or even were) a LastPass user, this is the most important question to answer. The bad guys have a copy of your encrypted password vault. That vault presumably contains many sets of important account credentials. However, it may also contain secure notes with other important private data, such as social security and passport numbers, credit and debit card numbers, financial account information, SSH keys, and whatever else you wanted to store securely.

If you have a strong master password, then that data should be completely safe. That’s the whole point of an encrypted data vault. It shouldn’t matter who has a copy of it. If it’s properly encrypted with a strong key, it would take hundreds or even millions of years for a supercomputer to guess your password (what we call a brute force attack).

However… if you did not choose a strong master password, then you have to assume that your vault will eventually be compromised and all of its contents revealed (at least to the bad guys). It’s literally just a matter of time. Cyber hackers have very powerful and efficient tools to crack passwords. These tools start by guessing all the worst passwords (mostly based on past breaches) and then combinations of dictionary words, pop culture references, names, dates, etc.

I will say that we have no indication so far that anyone’s LastPass vaults have been pried open. Assuming that this data was stolen at least a couple months ago, that seems odd. But don’t let this make you complacent – if you have a less-than-stellar vault password, you’ll want to take immediate action (see below).

What About PBKDF?

Okay, that’s not a question you likely asked yourself. But there is another interesting security detail to this breach that warrants discussion. Because people notoriously choose bad passwords and because threat actors have powerful tools to crack those passwords, security researchers have developed techniques to slow down password attacks. They use a something called a Password-Based Key Derivation Function to make your password harder to guess. The more times they run your password through this function, the longer it will take for the password cracking tools to guess your password. The recent standard is about 100,000 iterations, though a leading security organization recently raised their recommendation to around 300,000.

LastPass is currently using 100,100 iterations of PBKDF2. That’s good, right? Well, they didn’t always use that many. To be fair, the accepted number of iterations has increased over time as computers have gotten faster. However, if you’re a long-time LastPass user, your account may still be using the older value, possibly as low as 5000, 500 or even just one (1)! None of those values are sufficient today. It really appears that LastPass was negligent about prompting their long-term customers to increase this setting over the years.

To check or change your current setting, see this article. Note that you can change this to any value you want. I would also make it a “non-standard” value to throw off the bad guys – say 300,099. (If you really want to dig into this, there’s a long article here you should read.)

Is My Vault Protected by 2FA?

Security experts love to go on and on about the benefits of two-factor authentication, or 2FA. And 2FA (sometimes referred to as MFA, multi-factor authentication) is indeed a strong defense for protecting access to your online accounts. However, in this particular case, it doesn’t come into play. Normally, bad guys would need to first log into your account in order to download a copy of your password vault. But by stealing a copy directly from LastPass’s cloud backup server, they have bypassed individual account verification entirely. This is why it’s crucial that you have a strong master password – that is your primary defense.

However, if you have 2FA on your other accounts, then that will still serve as a secondary line of defense for those accounts. That is, even if the bad guys manage to crack your master password and gain access to all the passwords stored in your vault, any accounts that are protected with 2FA should still be safe. So, adding 2FA to your online accounts now (after the fact) will still improve your security for the accounts listed in your stolen password vault.

What Should I Do?

This is the second most important question for LastPass users to answer. If you have a truly strong master password, right now there is probably nothing more that you need to do. From everything we know today (Jan 18), your data should be safe (other than the metadata that wasn’t encrypted).

I can understand how you might not be comfortable with that answer, however. If you want to be conservative about this, or if you’re feeling unsure about the strength of your master password, then here is what you should do:

1. Change your master password and make it strong. This is to keep the bad guys from accessing your account going forward. It should be at least 12 characters, but I’d shoot for 14-16. Use upper and lower case letters, numbers, and special characters if you can (at least some punctuation characters). You can also use a passphrase.
2. Change all the passwords that were in your vault. Yeah, I know, that sounds ridiculously hard. But start with the most important ones: financial, medical, government (IRS, Social Security, etc), social media and email. Why email? Because that’s where most password reset requests will be sent. Social media and email can also be used to scam your followers and contacts.
3. Add two-factor authentication to any online accounts that you can.

Note that none of this will prevent access to the data the threat actors already have. The copy of the vault they have was encrypted with whatever master password you used on the version of the vault that was stolen (we still don’t know when it was stolen or how old the backups were). If that password was insecure, then you need to do the above steps right away.

But also note that there are other things in your vault that you may not be able to change – like social security numbers or bank account numbers. Those will remain vulnerable basically forever. Look through the contents of your vault notes (both the “Secure Notes” entries and the notes associated with regular credential entries) to see what other information may have leaked and take action where prudent.

If you’re now uncertain about this whole password manager thing, there are ways to make them safer, if you’re willing to put up with some added inconvenience.

Should I Switch to a Different Password Manager?

First, let me just say again that you absolutely, positively should be using a password manager – full stop. Do not let this or any breach dissuade you from doing so. You should have long, strong, unique, crazy random passwords for every account. And the human brain is just not up to that task. If you are not currently using a password manager, I would strongly recommend either BitWarden or 1Password. I have used and recommended LastPass for many years, but at this point I cannot recommend them to new users. It truly pains me to say that.

If you are a current LastPass user, I would seriously consider switching to BitWarden or 1Password. It’s not really about the breach. If you dropped every service that suffered a data breach, you’d eventually end up either with no options left or only those companies that don’t know that they’ve been breached. Breaches can happen to anyone. What matters more to me in situations like this is how the company responds, which I’ll cover in a minute.

However, what pushes me to recommend switching is LastPass’s failure to keep their customers up to date with the current minimum standards for password strength and hash iterations. That’s something that’s hard to forgive. That said, there’s no real rush to switch. You don’t have to make this decision now – you can do this later, after you take the steps above to mitigate your risks.

Note that switching is actually pretty easy, from a technical perspective. You can simply export your LastPass vault information and import it to your new service. (You can find instructions here and here.) However, you may have shared passwords with others or a family account. That would mean all of you would need to switch to something new.

If you do decide that you want to switch to some other password manager and you’ve also decided that you need to update all your passwords, then I would change the passwords after you switch. That is, put the new passwords only in the new service’s vault.

I will point out that LastPass will almost certainly make significant changes as a result of this incident. It may be that in 6-12 months, LastPass will fix all these problems and add innovative and enticing new security features. Time will tell. That is not a reason to stay with LastPass, but if you do stay, my guess is that their service will get better.

So for now, the key is to execute the steps in the previous section. If you want to switch to another service, I would understand that. But I don’t think at this point that it’s a simple, no-brainer choice (though I’m sure others might disagree with me). However, if you are just getting started with a password manager, then I would not choose LastPass.

How Well Did LastPass Respond to This?

From a technical standpoint, I think LastPass’s has taken appropriate steps so far, though there’s a lot we still don’t know about what happened here. However, they obviously need to start encrypting the entire vault. They should also do more to ensure that customers don’t choose a weak master password and force LastPass client software to keep up with the accepted current minimum standards for vault security.

From a messaging perspective, I think they should do much more to get the attention of their users and be much more clear about who may have been affected. I think their blog article also used a lot of confusing technical jargon meant to sound reassuring and weak statements about the real risks. I’m sure that legally they have to be careful what they say – not just to avoid law suits, but to avoid running afoul of SEC rules and satisfying multiple different requirements on breach disclosure in various jurisdictions. But at the end of the day, I don’t have any inside information about what’s really going on so it’s hard to judge. I’m not a PR person, so I’ll leave that debate to others.

Beware Targeted Phishing Attempts and Scams

Any breach of this magnitude is going to spawn several types of scams and phishing campaigns, even targeting non-LastPass customers. Be even more alert than usual in the coming weeks and months for:

• Phishing. All the metadata in your vault could allow attackers to send you pretty convincing emails, texts and even phone calls seeking to trick you into giving up information. Beware of messages or people asking you for 2FA codes, too.
• Blackmail. I don’t want to be a fearmonger, but in the wrong hands, certain account metadata could be embarrassing or compromising. Certain bad actors will capitalize on that. But also be aware that they may use the metadata to convince you that they have more information than they really do.
• Scams. Be wary of any urgent, scary notifications or offers of help or technical support related to this breach. They may use the metadata to trick you into thinking you’ve been hacked, or simply capitalize on the general anxiety caused by this news to try to sell you stuff you don’t need.

As a final note, LastPass reminded their users that “LastPass will never call, email, or text you and ask you to click on a link to verify your personal information. Other than when signing into your vault from a LastPass client, LastPass will never ask you for your master password.”

Further Resources

As I find more articles that are interesting, I’ll add them here.

• What data does LastPass encrypt?
• Security Now Ep904 and show notes
• Security Now Ep905 and show notes
• LastPass vault dump utility
• LastPass vault parser