The password manager LastPass has suffered a major data breach. Or, more accurately, another major data breach. Using information gained during a security breach in August 2022, threat actors were able to get a full copy of the data LastPass stores on a cloud-based server. As Wladamir Palant, security researcher and one of the original developers of AdBlock Pro, says this isn’t a “new breach now, LastPass rather failed to contain the August 2022 breach.”
If you don’t know, a password manager is a web-based service that stores your passwords in an encrypted, cloud-based environment. It is generally thought to be a more secure alternative to, for example, keeping your passwords written on paper or reusing the same one on multiple sites.
These threat actors were able to create a copy of LastPass’s data from one of their cloud-based servers. Whether it was a backup or used in daily operations, LastPass did not specify. LastPass took care to specify that the threat actors accessed something physically separate from their facilities. This doesn’t make a difference, the information stolen was still valuable and personal.
The information a person keeps with LastPass is not 100% encrypted, like many people might assume. Instead, they keep some information unencrypted in a person’s profile, then leave the “more private” information locked behind a user’s Master Password. The idea from LastPass is that their users are safe, even if the threat actors have unencrypted information of users of names, URL addresses, and more, because the vital data is safeguarded by a user’s Master Password. (Security experts disagree with them—that unencrypted information can be used against a user effectively, especially with a phishing scheme personalized to a user’s habits.) It is only with a Master Password that a user can view their encrypted data, unencrypted. But there is plenty of damage that could be done from the data LastPass chooses to leave unencrypted, a problem that they do not address.
In LastPass’s official statement, released right before Christmas 2022, LastPass reassures its users that if they are using the Master Password standards they have had in place since 2018, that:
It would take millions of years to guess your master password using generally-available password-cracking technology. Your sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass’ Zero Knowledge architecture.
In his blog post addressing the LastPass breach, Palant has scathing criticisms of the company, with good reason.
Their so-called Zero Knowledge architecture is one of the final defenses between a hacking attempt and their users’ data. The idea behind their Zero Knowledge standard is that a user’s Master Password, something the user alone is supposed to keep track of, is necessary to access clients’ encrypted data. There are multiple concerns with this, and both Palant and Jeremi Gosney consider this to be an outright lie.
A Master Password is accessed, if obliquely, every time a user uses LastPass’s browser extension to log in to a website. Moreover, if someone uses their Master Password elsewhere, anywhere else, on the Internet, that dramatically decreases the Master Password’s effectiveness. Lastly, just because LastPass says they don’t store Master Passwords, that does not prevent a threat actor or someone internal to LastPass from storing them. As we learned last month, malicious attacks can even target a browser’s cookies.
These are the most egregious worries with LastPass’s “Zero Knowledge” architecture, but more stem from the way LastPass functions as a company. Their “best practices” for Master Passwords, last updated in 2018, include a minimum of twelve characters for your Master Password, as well as using 100,100 iterations of a password-strengthening algorithm, PBKDF2. LastPass describes this as “stronger-than-typical”; Palant describes it as “the lowest protection level that is still somewhat (barely) acceptable today.” The number of iterations OWASP, Open Web Application Security Project, recommends for PBKDF2 is in fact over 300,000 iterations.
LastPass acts in the company’s best interest; not its clients. Legacy users of LastPass, meaning the people who first decided to take a chance on this company, may use weaker password recommendations of previous years or have a lower number of iterations in their settings, without notice or warning from LastPass that the standards have changed.
In other words, LastPass does not require their users to stay up to date with best practices, nor notify them (according to Palant) that they are using outdated standards. And yet, their press release on this latest breach prepares to place blame on their users: “If you use the default settings above… there are no recommended actions you need to take at this time.”
What to do if you use LastPass
- Change all of the passwords you have stored in it
- Change your Master Password
- Consider switching to a different password manager
If a LastPass user took actions on the official statements of the password manager alone, they may think that their information continues to be safe. However, security experts like Jeremi Gosney and Wladamir Palant both recommend switching to a different password manager, like, yesterday.
What remains is simple: what is best for LastPass the company is users staying; the best thing for their users is to get out of dodge. Operating a cloud-based security service as though every user is a security expert is a ripe recipe for disaster, and disaster has struck. Get out before it affects you, too.
Read more: