When most people put aside their digital life and started enjoying their holiday quality time, LastPass had an eerie announcement to make.
On 22 December 2022, the popular password management service revealed that some attackers had gained access to sensitive information the service had stored.
LastPass announced this through an ongoing thread about the attacks that started in August 2022. Although people knew about the LastPass attack in August 2022, most people realized the depth of the issue only after this recent announcement.
Since we have used and recommended LastPass in the past, we wanted to give you a heads-up! In this guide, we have discussed everything you must know about the recent LastPass breach and what you should do to keep your digital life secure.
About the LastPass data breach
Let’s have a quick overview of how the LastPass data breach happened. We do not encourage rumors, so we are using the information provided by LastPass itself.
It all started in August 2022, when LastPass detected some unusual activity within the LastPass development environment. According to the company, an attacker used a compromised developer account to steal source code and proprietary technical information. In response to this problem, LastPass deployed many measures to mitigate the situation. However, at this point, LastPass claimed that the attacker did not have access to password vaults or master passwords. Therefore, it did not require any user-initiated steps either.
In September 2022, LastPass updated the blog post with conclusions from the investigation, stating that the attacker could not access any sensitive information, thanks to the security systems at LastPass. But, many things changed with a November 2022 update, where the company claimed that some elements of customers’ information had been compromised. However, even then, LastPass iterated that the password data of users was 100% secure.
The latest update, published on 22 December 2022, changes the entire narrative. LastPass announced that it came to know that the threat actor managed to steal customer vault data and customer account info —from a backup system. It is worth noting that the password vaults at LastPass are encrypted using the 256-bit system and require the master password for decryption. Because LastPass does not know the master password, the threat actor can only use brute force to decrypt the password information.
At first look, it may seem you don’t have to worry. But the real question comes down to whether your master password for LastPass is secure enough.
The potential problem with LastPass master password
Since its beginning, LastPass has asked users to create a strong master password. Three significant principles are used here.
- First, the master password must be twelve characters long. And the LastPass app encourages you to use alphabets, numbers, special symbols, and a combination of uppercase and lowercase letters.
- The company also uses a unique algorithm to ensure that currently available systems cannot crack master passwords.
- Last but most importantly, LastPass asks users not to use the master password elsewhere on the web. So, even if one of your accounts is compromised, attackers cannot access your master password.
As you can guess, many people may find it tricky to say Yes to the third point.
What should you do?
According to LastPass, if your master password fulfills all three requirements mentioned above, you have nothing to worry about. Using available brute force methods, the threat actor will need millions of years to decrypt your password.
But, if you have used the master password elsewhere, you might be at risk.
Here’s what could happen:
If any of these websites have been compromised, the password data may be available on the deep/dark web for sale. Threat actors could use this data dump to unlock the LastPass password vaults, also decrypting them sooner or later.
Now, that puts you in a difficult position, doesn’t it? In this case, the threat actor will have access to all the passwords you have stored using LastPass. It also means you have to change the password of every website on that list.
How about other LastPass users?
If you use a recommended LastPass master password, you do not have to worry. The attacker can’t use the LastPass password vaults against you. So you can sit back and relax. But there is another question you may want to ask yourself:
Should I continue using LastPass?
Well, we have an opinion on this. And you have two options.
There is no need to lose hope in LastPass because of this data breach attack alone. But, we must understand that threat attackers are advancing their methods to crack the digital security walls we build. Therefore, the event involving LastPass should not come as a surprise.
More importantly, since August 2022, LastPass has been transparent about the whole event and has taken measures to counteract threat actors. We can also expect the company to roll out better updates and improvements in the future.
But, then, there is the side of safety and mental peace. If you do not want to spend time anxious about what could happen in the future if you rely on LastPass, you can explore other options. Enpass and Bitwarden are two companies that you can trust. Enpass is a paid password manager, while Bitwarden is open-source. So, you have options. They already offer great software management features, but everything will be improved in the coming months, partly thanks to what LastPass has revealed.
This point could be more relatable for those who use LastPass to store business-related data, including passwords. The last thing you need is to worry about whether your password management service is secure enough, correct?
Mind you, simply moving to another password manager does not protect you from all threats. On the other hand, you have to make better decisions when it comes to passwords and credentials. For instance, it is time you stopped using guessable passwords and common names. Instead, a password containing multiple cases, words, numbers, and special characters shall help you.
We would like you to consider the LastPass 2022 data breach as a reminder: not to ignore the basics of digital security because you use a password manager. Even though things might be a little difficult for some users, it will create a secure internet for most of us.