LastPass CEO Karim Toubba has announced that the password management company suffered a security breach last month, with attackers making off with unencrypted customer account data and customer vaults containing encrypted usernames and passwords.
This could be a nightmare situation for LastPass, but most users shouldn’t be at significant risk because the company’s Zero Knowledge security architecture prevents it from having access to or knowledge of a user’s master password—the stolen data doesn’t contain any master passwords. This safeguard should prevent the attackers from decrypting the stolen usernames and passwords.
LastPass has been fairly transparent about the breach, posting when it happened and following up this week with additional details. Although LastPass’s on-premises production environment was not breached, the attacker was able to leverage information captured in an earlier breach of a developer’s account in August 2022 to target another employee’s account in order to steal data from cloud-based storage that LastPass used for backup. (Arguably, these events are all part of a single breach.)
This incident highlights weaknesses in LastPass’s approach to security. The stolen data included unencrypted customer account information (names, addresses, and phone numbers, but not credit card details) and encrypted customer vault data. LastPass secures usernames, passwords, secure notes, and form-filled data using 256-bit AES encryption, and they can be decrypted only with a unique encryption key derived from each user’s master password. Within user vaults, however, website URLs associated with password entries weren’t encrypted. That’s problematic.
More seriously, LastPass relies entirely on that user-selected master password to secure encrypted data. Even though the company has hardened minimum requirements for setting passwords, users can set master passwords weak enough to be susceptible to cracking attempts. Apple’s iCloud Keychain, 1Password’s cloud-based storage, and some other solutions mix device-based keys with master passwords or account logins for far greater resistance—an attacker has to obtain and unlock a device in addition to compromising a vault or account password.
What Actions Should LastPass Users Take?
As long as you used your LastPass master password only at LastPass and retained the company’s default settings, LastPass does not recommend any actions at this time. (The defaults require a minimum of 12-character master passwords and specify a high number of iterations—100,100—in the PBKDF2 password-strengthening algorithm.)
A brute-force decryption might be successful against your master password if you reused it on another site that had been compromised, set one that’s fewer than 12 characters (never do that!), or lowered the default password-strengthening settings. (Some long-time users found that they had much lower settings of 500 or 5000 for the PBKDF2 algorithm—here’s how to check.) If any of those are true, change your master password immediately and turn on multifactor authentication. (Use the LastPass Authenticator app: for instructions, click Features & Tools and then Multifactor Authentication in the LastPass support portal.)
Because the vaults were stolen, nothing you do can protect the integrity of that data, which is already in the hands of the thieves. LastPass suggests people at risk of having their master password cracked consider changing passwords on stored websites. Start with the crucial accounts that could be used to impersonate you, like email, cell phone, and social media, plus those that contain financial data. If you’re worried, change passwords more broadly. (Typically, you never need to change unique, strong passwords, but here your core secrets were stolen, even if they remain encrypted.)
Those with weak master passwords should also change them and enable multifactor authentication for their LastPass accounts. Even though the horse is out of the barn, you can get a new horse and secure the door behind it: possible future breaches are less likely to affect you if you have updated the passwords stored in your vault and have secured them with a new strong, unique password.
Regardless of the strength of their master passwords, LastPass users must now be especially alert for targeted phishing attacks. Since LastPass vault backups did not encrypt website URLs, phishers can combine them with an email address associated with your unencrypted account information.
If you are at all uncertain that an email or text message that links to a login page isn’t legitimate, navigate to the website directly in your browser and log in using links on the site. Don’t trust URL previews—it’s too easy to fake domain names in ways that are nearly impossible to identify. Particularly watch out for credit-card warnings and package-tracking alerts—both are ready paths for phishers in the best of times and even more likely to fool users during the holiday season.
Questions and Concerns
Obviously, LastPass made mistakes here, but at least the company is being transparent about what happened. It doesn’t seem as though LastPass was cavalier about security—this sounds like a sophisticated, multi-prong attack that took months to carry out. It’s a worthwhile lesson for all organizations to realize that targeted attacks on one employee and then another ultimately allowed the breach of massive amounts of data. Nonetheless, the outcome raises questions and concerns.
Should LastPass users consider switching to another password management solution?
Yes, for two reasons. First, it’s troubling that LastPass isn’t using a secret key entangled with the master password to protect against thefts like this. Second, the attackers might be able to exploit the stolen information to compromise LastPass’s systems again. LastPass hardened its systems in response to the August breach of one developer’s account, but that wasn’t sufficient to stymie the November attack on the second employee.
Conversely, as far as we know, LastPass’s Zero Knowledge architecture remains secure, so if you’re comfortable with the strength of your master password and you trust LastPass’s overall architecture, you should be able to continue using it with no additional worry.
As someone who has used LastPass for many years as my primary solution—Tonya uses 1Password, and we share a family vault with Tristan—I’m not planning to switch based on this breach alone. However, I have been suffering from other irritations with LastPass—its multifactor authentication failing on the Apple Watch, its inability to remember that I want generated passwords to include symbols and be 20 characters long, and its Chrome extension frequently becoming corrupted (see “Chrome Extensions Disappearing? Click Repair,” 24 August 2021)—so I’ve decided to switch to 1Password when I find the time.
Is this breach an indictment of the entire concept of cloud-based password management services?
While some would undoubtedly say yes, arguing that locally managed passwords are not susceptible to attacks on a company, the issue has more to do with how cloud-based data is secured. While LastPass doesn’t hold the encryption keys to your data, its encryption method isn’t as strong as it could be because all the encryption power is locked in a single master password that can be entered anywhere, rather than requiring multiple components, some or all of which are held separately.
Swearing off cloud-based storage in favor of locally managed passwords also presumes you wouldn’t fall prey to phishing or other attacks that target you randomly instead of specifically. The LastPass breach required direct attacks on specific employees, but scattershot attacks can be automated or distributed broadly via malware—the attackers don’t know or care who their victims are.
Plus, cloud-based systems provide two compelling features: syncing among multiple devices and platforms and sharing particular passwords with other users of the same system. Syncing is fairly easy to replicate using iCloud, Dropbox, or the like, but sharing passwords with other people requires a shared account.
Are other password managers vulnerable to similar attacks?
I wouldn’t think so. The LastPass breach relied on previously stolen information that provided access to secondary backup storage thanks to credentials and information stolen in attacks targeting individual employees. It was a custom attack and couldn’t be used against other firms. And LastPass’s reliance on a single master password also puts its users’ data at unique risk.
That said, I have to assume that all password management services are under near-constant attack because, to paraphrase bank robber Willie Sutton, that’s where the passwords are. These companies may consider such attacks business as usual, or they may be using LastPass’s incident as an excuse to reexamine their security practices to make sure they haven’t missed anything. LastPass presumably didn’t think it had missed anything before August 2022.
When will passkeys eliminate problems like this?
I don’t know for sure, but the transition can’t happen soon enough. See “Why Passkeys Will Be Simpler and More Secure Than Passwords” (27 June 2022).