Welcome to 2023! What with the holidays (you do remember them, right?) and the end-of-year distractions (hello, bomb cyclone!) you may have missed the news about a data breach at LastPass. Or you may have read about the LastPass breach but were not sure what you could, or should, do about it. Let me help you with that.
The TL/DR version. Your passwords are most likely safe, but you should be on guard for spear phishing attacks.
What Happened During the LastPass Breach
You can read directly from LastPass about what happened here. To summarize
- Hackers broke into LastPass cloud storage in August and stole some source code and technical information.
- The hackers then used this information to trick a LastPass employee into disclosing their account credentials.
- In November or December, the hackers exfiltrated some customer data.
Notice a few things about the LastPass breach.
- The breach happened over months, not days or hours.
- The hackers stole information that allowed them to phish an employee and gain user access. This should sound familiar!
- It sounds like LastPass discovered the breach of customer data after the fact, not while it was happening.
(As an aside, not everyone was happy with the LastPass breach communication. Here is one example. Some of this is a bit in-the-weeds criticism. Other criticism focuses on how LastPass communicated the breach news. This is worth reading if you are responsible for communicating details about a breach to your stakeholders.)
Your Passwords are Safe. Most Likely.
Before you panic over this LastPass breach, give thanks to NIST for AES-256 encryption. (Go here for some details). LastPass uses it to encrypt your passwords. This means that hackers, unless they also have your LastPass master password, would have to brute-force attack the encrypted file to get at your passwords. This process would take somewhere between a long time and forever, depending on who you ask. The US government uses AES-256 to encrypt Top Secret information. That sounds like an endorsement to me.
Hackers Obtained “Metadata” So They Can Spear Phish You.
Your passwords are safe. That is the good news.
Now for the bad news. LastPass stores other information about your website logins. Things like your name, billing address, phone number and company/organization name. And LastPass does not encrypt this information. So, hackers did not have to do anything to access this data once they stole it in the LastPass breach.
If a hacker knows you went to wellsfargo.com, they still do not have enough information to log into your Wells Fargo account. However, they do know (or can guess) that you have an account there. Knowing this, a hacker could craft a phishing message that appears to come from Wells Fargo. Not an ideal situation.
What You Should Do. Now.
Here are some steps you can take to respond to the LastPass breach.
- Change your master password. I know, it’s a pain. Even though your master password has probably not been guessed, take the extra step, and change it. LastPass recommends using a passphrase, which is a good idea. Remember to change the master password everywhere you use LastPass (browsers, computer, phone/tablet).
- Set up multi-factor authentication (MFA) with LastPass. Here is information on how to do that. LastPass works with authentication apps from Google, Microsoft, Duo, and others.
- Implement Single Sign-on (SSO) for your organizational applications. If users can access organizational apps via SSO, they do not need to store those app credentials in LastPass. And a LastPass breach will not put those apps at risk.
- Set up some user training on spear phishing. Hackers may have information (such as websites visited) that would help them create a more personalized (and therefore believable) phishing message.
- This LastPass breach is another good reason to set up managed detection and response (MDR). If setting up MDR is too much for now, at least increase your audit log reviews. Be especially aware of unusual usage patterns for executives.
- Let users know that the LastPass breach is not a good reason to stop using password managers. More on that next.
What Does This Breach Say About Using Password Managers?
Should you react to the LastPass breach by ditching LastPass? Only if you are moving from LastPass to another password manager.
Some will argue that password managers are a bad bet since they are natural targets for hackers. However, what are the alternatives? I do not know enough to say that one password manager is technically superior to another. Maybe someone can educate me on that.
Others will advocate for the old-fashioned method: write the passwords down on a piece of paper. How is that going to work on the days you are working away from that paper? Users are going to write their passwords down in some digital form. And now we are back to evaluating the convenience of keeping the form updated and using it against the risk that the form can be stolen and hacked.
The real issue here is passwords. Until we can access everything via Face ID or some biometric means, we are going to have passwords. And password managers, limited as they are, will be the best way to manage those passwords. Learn from the LastPass breach and be smart about how you use your password manager.