LastPass Breach: Implications, Lessons, and Actions You Can Take
I do not normally post about security breaches, mostly because they are all too common and there are way too many to keep up on. If I posted about each security breach, there would be nothing else on this site. However, the recent revelations from the LastPass breach are noteworthy enough for me to post about.
The "Too Long; Didn’t Read" version is that LastPass suffered a breach where malicious actors were able to get customer production data, including some metadata that could be used in targeted phishing or social engineering attacks.
Writing software is not easy to write, nor is it ever without some sort of bug somewhere. Software will likely never be bug 100% bug free, no matter how many people look at a piece of code, nor how secure one thinks it is, it cannot be 100% secure. Maybe one day it will be possible, but for now it is not.
If you were to travel back twenty years if there was a vulnerability in a piece of code, it might be fairly straight-forward to exploit. However, the industry has come a long way and now being able to gain access to things is becoming increasingly more and more difficult. Even with that being the case, it is still possible to gain access to sensitive information. LastPass, a password manager service, suffered a breach back in August that has has more implications and ramifications. Before we delve into the latest on the incident, let us look at what a password manager is.
What is a Password Manager?
There are some things that you need to do to be as secure as possible in today’s internet. The biggest thing you can do is have a different, and hard to guess, password on EVERY site you use. There are many approaches that people have taken over the years and all of these are fallible. The only way to truly remain safe is to have a different password for each and every site. Ideally, these passwords should be difficult to remember. This is where a password manager can come in handy.
Password managers are not new, they have been around for quite a long time. Password managers are pieces of software that allow you to store passwords for all of the websites and services that you use. Many password managers can also generate passwords for you, as well as automatically fill in previously stored passwords. Password managers can store more than just passwords. Here are some things that can be stored in many password managers:
- Credit/Debit Cards
- Drivers Licenses
- Insurance Cards
- Social Security Numbers
These are just some of the types of things that can be stored in a password manger. Storing all of this information in a single place does make it convenient, but it can also become a single point of failure, but this is where using a cloud-based service can be useful because they can help you recover your information.
Password managers are designed to securely store information. This is accomplished by encrypting anything stored. Encryption takes plain text, like a password, and turns it into random gibberish for anyone who is looking at the encrypted text. In order to be able to allow you to read the data stored it must be decrypted. Most password managers accomplish this encryption and decryption by what is called a "master password".
The "master password" is a single password that is known by you which is used to encrypt and decrypt all of your data. You can enhance this by adding a second factor, like a one-time code or a hardware token.
All of the major password managers now synchronize your data to all of your devices to make it easier to access all of your data no matter where you are. Some password managers are even entirely cross-platform, meaning they can synchronize to macOS, iOS, Windows, Android, and Linux.
One of the major vendors is "LastPass", and LastPass has recently suffered a breach, that has become worse as time has gone one. Let us look at what LastPass has reported.
Last Pass Breach Incidents
Back on August 25th, 2022, LastPass has announced that they had suffered a breach that had occurred a couple weeks prior. At the time LastPass indicated that neither Master Passwords nor customer data was compromised in that breach. Additionally, at the time they did not recommend any action by users.
As is best practice, they investigated the incident and provided an update on September 15th. In that statement LastPass stated:
"Firstly, the LastPass Development environment is physically separated from, and has no direct connectivity to, our Production environment. Secondly the Development environment does not contain any customer data or encrypted vaults."
On November 30th, 2022 LastPass posted about a second security incident. This updated stated
"We recently detected unusual activity within a third-party cloud storage service…" The update continues, "We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information".
On December 22nd, 2022, LastPass posted another update. This one started off,
We recently notified you that an unauthorized party gained access to a third-party cloud-based storage service, which LastPass uses to store archived backups of our production data.
This part from the December 22nd, 2022 statement is the key. The statement continues:
**the threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses** from which customers were accessing the LastPass service.
The information in the above quote is the "metadata" information that the malicious actors were able to retrieve. As of this writing, this is all that LastPass has shared about the incident.
What does this mean?
The big question that many LastPass users will be asking is "what does this mean?". As with so many things regarding computers, the answer is "it depends". It depends on a few things.
The first question you need to ask yourself is: "Am I using my master password on other sites"? If the answer to this is "yes", then you need to immediately change your master password on LastPass, and then begin changing ALL, yes ALL, of your other passwords. This is because if they can use your master password on another site, they have an in to possible begin to compromise other sites, particuarly if your master password is used to access your email. Furthermore, if they unlock your vault's password then they have full access to all of your accounts.
If you have a different master password that is, unique, and at least 12 characters or longer, it is unlikely that a malicious actor will be able to access your data. However, there are some caveats to this. Be sure to see the support incident article and the link to the algorithm used for password in that article to make sure that your account is as secure as possible. If you created your account after 2018, you should be using this secure method by default.
Furthermore, if you have two-factor authentication enabled on your LastPass account, it will make it significantly more difficult for them to unlock it, however, you do need to secure those second factor methods, like cell phone and email accounts.
Even if your passwords themselves are safe, malicious actors may be able to use the "metadata" information (billing address, end user names, company name, etc) gleaned through the LastPass breach to possible create targeted phishing emails. While it is unlikely that most people will be targeted, any business customers affected are very likely to be targeted. Therefore, they should be aware that phishing emails, or social engineering attacks, are entirely possible.
Also as stated in the December 22nd, 2022 update,
We have already notified a small subset (less than 3%) of our Business customers to recommend that they take certain actions based on their specific account configurations.
This means that there are some businesses who might not have the most secure data and could possibly be targeted by malicious actors due to the data retrieved through this incident.
There are likely some lessons that can be learned, in particular for other password manager services, like BitWarden, 1Password, and any others. It is hopeful that each of these companies are looking at their current practices when it comes to customer data storage, including backups, The information that they should be looking at includes where customer information is stored, who has access to it, and if there is any way that those backups could be breached to gain access to customer data.
If you are a LastPass user, you might also learn some lessons as well. First, no company is infallible and all can suffer data breaches. However, while you trust companies with your data, it is ultimately on you to make sure that your data is as secure as possible by following the latest security practices, like having unique passwords for every website and service, as well as having unique ‘master password’ for your password manager.
Should you move away from LastPass?
This is a question that many people are asking. There is one contingent of people who say "Yes, you should move away from LastPass". The reasons that they are saying this is because their trust in LastPass has been eliminated, given that the entire job of LastPass is to store your most sensitive information, and they have not been able to do that.
The other continent says "No, you shouldn’t leave LastPass", and the reasons that they provide is because LastPass will now be super vigilant about securing user data.
Regardless of whether or not you think someone should move away from LastPass, there is one thing that everybody agrees that you should not do. You should NOT give up on password managers in general. If you do opt to leave LastPass be sure to use another password manager, because any password manager is better than not using one at all. If you are going to leave LastPass, there are a few other options, including BitWarden, 1Password, KeePass, or even using your operating system’s built-in password manager, if they have one.
I do not use LastPass, so I am not affected by this breach, but I am sure many others are affected. If you are affected, it is best to check all of your security settings and change your master password, particularly if you have used your master password elsewhere or if is less than 12 characters in length. This should be done even if you are going to ultimately move away from LastPass. It does not change the data that may have been compromised, but changing passwords on sites will limit the ability for malicious actors to easily gain access.
I have no doubt that LastPass will ultimately end up losing customers over this incident, not because an incident happened, but more likely due to a loss of trust in LastPass being able to secure user’s data. One other possible reason is the timing of the release, which was at 3pm on Thursday, December 22nd, which is right before a holiday weekend when most journalists are already gone for the holiday, if not the remainder of the year.
Having a developer platform breached, as LastPass did back in August, is one thing particularly because many developer environments are running early and untested versions of software. This can be overlooked, however, having that incident result in a malicious actor accessing live customer data, copying that data, including private vaults, as well as other data, is an entire other thing that some users will not overlook. What you choose to do, is of course, up to you.