If you’re still a LastPass customer by now, you should consider ditching the password manager app the first chance you get. Well, that’s after Christmas or the holidays because that’s what most people are concerned about right now. And it’s now that LastPass decided to announce that hackers who breached its systems have been able to steal the encrypted vaults containing your passwords.
Now, the Thursday before Christmas, LastPass issued a notice of a recent security incident where hackers stole a copy of “a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.”
There’s no reason to panic, LastPass seems to indicate. But you also should.
LastPass’s most recent security issues started in August when hackers accessed its cloud-based storage. At the time, the hackers did not obtain any customer data. But then, in November, LastPass detected another intrusion based on the August breach.
It’s unclear whether the hackers stole the encrypted passwords in November. But LastPass says in the new announcement that attackers went after an employee, and that’s how they obtained “credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service.”
LastPass tells customers that their passwords and credit cards are safe even though hackers obtained the encrypted vaults:
These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass.
But that’s not good enough. It’s nearly impossible to breach those vaults. Nearly. It can happen, though, if attackers can brute force their way into yours. If you have a weak master password or one you recycle with other internet services that might have seen breaches before, that’s a risk. Hackers might guess it.
Let’s remember that attackers also obtained unencrypted data. They know what sites you might have saved passwords or credit cards for in LastPass’s vault. The attackers might try other ways to obtain the master password of your account, like phishing attacks and social engineering.
After all, the hackers also stole “company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses” which you access LastPass from.
LastPass also notes that since 2018 it has implemented new security features, including “a stronger password-strengthening algorithm that makes it difficult to guess your master password.”
With these default settings in place, “it would take millions of years to guess your master password using generally-available password-cracking technology.” LastPass says there are no recommended actions customers should take at this time if the above applies to your account.
But you’re at risk if your account doesn’t use these defaults. LastPass advises users to minimize risk by “changing passwords of website you have stored.” Every single website. Before Christmas.
Some Business accounts that are not using Federated Login Services might also be at risk. The company says it has notified less than 3% of those users to take specific actions.
The problem in all this isn’t the hack itself, a risk that any cloud-based service is exposed to. It’s really the way LastPass dropped this disturbing news. Right before Christmas, when people have bigger worries than their password managers. It really seems impossible that they’ve just found out about it now, considering they’ve been investigating this breach since August.
If you are a LastPass customer who is just hearing about hackers potentially stealing your encrypted passwords, you should do at least one thing. Find the time to change all your passwords (master included), and pay extra attention to credit card information and information you’ve stored in notes.
I’d go one step further. I’d transfer all my passwords to a different manager and ditch my LastPass subscription. Even if the hackers need a million years to break into my vault.