What you need to know about the LastPass Hack

What’s happened?

Just days before Christmas, when most people probably weren’t paying too much attention, password management service LastPass revealed that hackers had accessed customers’ password vaults.

You’re probably thinking of the original announcement LastPass made back on August 25 2022, where it said that a hacker had managed to gain access to a developer’s account, and stolen some of its source code from a development environment.

Back then LastPass said that it had “seen no evidence that this incident involved any access to customer data or encrypted password vaults.”

So they were wrong when they said that?

Well, LastPass might have not seen any evidence that customers’ password vaults had been accessed then, but…

But when a company says it has “seen no evidence” of anything bad happening, that’s not necessarily the same as saying “nothing bad happened”?

Correct. And sure enough, just before Christmas, LastPass confirmed that the information stolen from a developer’s account in the August 2022 attack was actually “used to target another employee, obtaining credentials and keys which were used to access and decrypt some storage volumes…”

The stolen data includes the following unencrypted data:

• company names
• end user names
• billing addresses
• telephone numbers
• email addresses
• IP addresses that customers used to access LastPass
• website URLs from your password vault

In other words, cybercriminals now know that you use LastPass, they know how to contact you, and they know which websites you use.

That’s valuable information for anyone attempting to phish further information from you, as they could easily pose as one of the websites you access and send you a scam email.

Furthermore, simply knowing which websites you access (and store in your password manager) might reveal private information about you that you would rather remain confidential.

And further still, it’s possible you stored password reset links for these websites in your password manager that might not have expired or other sensitive information or tokens in your website URLs that you wouldn’t want to fall into the wrong hands.

Because the hackers also stole encrypted customer data including:

• website usernames and passwords
• secure notes
• form-filled data
• But that’s encrypted, right?

Yes, it’s encrypted. The hackers need to determine what your LastPass master password is, to access the crown jewels – the usernames and passwords to all your online accounts.

You might be thinking, Well I have a strong hard-to-guess unique password. And I have two-factor authentication (2FA) enabled on my LastPass account.

2FA is irrelevant in this case. The hackers have already stolen the password vault data, they don’t need to bother logging into anyone’s LastPass account.

Similarly, changing your password now doesn’t undo the data breach. It may still be a sensible step to take, of course.

And what’s going to help the hackers is that many many LastPass users are likely to have chosen master passwords that are much weaker than LastPass itself recommends.

Since 2018, LastPass says it has recommended and required a “twelve-character minimum for master passwords”.

Aside from the fact that the number of characters alone isn’t a good indicator of password strength, it appears that customers who have been with LastPass since before 2018 have not been required to update their master passwords to meet LastPass’s own recommendations – leaving the encrypted parts of their password vaults much more vulnerable.

And what’s more, security researchers have revealed that at least some of the master passwords stored by LastPass for its longer-standing users’ vaults have been encrypted in a way that makes them far too easy to crack.

What do you mean?

As researcher Wladimir Palant details, LastPass salts-and-hashes master passwords using the PBKDF2 algorithm, with 100,100 iterations.

The number of “iterations” is an indication of just how much “work” someone (or more likely a modern graphics card) is going to have to do to break your password.

However, many LastPass users who have had their accounts for a long time appear to have only had their accounts configured for 5000 iterations, or in some cases as low as 500, or even one!

Such poorly-secured vaults may not take too long (or cost too much money) to unlock.

And, as LastPass rival 1Password explains, the figures become much worse when it is a human-created password that the hackers are trying to crack rather than a truly randomly generated one.

Oh, by the way, OWASP’s 2021 guidance is for 310,000 or more iterations.

Your LastPass password vault is more at risk if a hacker is prepared to put the resources into cracking your master password. For instance, if you are…

• one of the 100,000 businesses worldwide that uses LastPass
• a journalist
• a government worker or politician
• a human rights defender
• a celebrity
• a cryptocurrency investor
• “a person of interest” to an authoritarian regime

So what should I do?

The sensible thing to do would be to assume that your passwords have been, or could be, compromised.

In which case you should change your passwords. And not just your LastPass master password – *all* the passwords stored in your LastPass vault.