It started with a breach of the LastPass developer environment. No customer data was involved in that breach, but then came the news that some customers were impacted, not in the first breach but a second, that was linked to the first. The data stolen in the first breach allowed a second hack. But no fear, customer password vaults were not affected. Now, LastPass has issued another update and said some customer password vaults are at risk.
It is important to state that no customer master passwords have been breached. LastPass, like many other password managers, operates under the zero-knowledge model. LastPass does not know customers’ master passwords, so any hack will not allow those passwords to be obtained. This is important since users of password managers are putting all of their eggs in one basket by using a password manager, so zero knowledge is vital. The problem is for customers who have set weak master passwords because LastPass has announced that the hackers stole customers’ encrypted password vaults. LastPass has discovered that in the second breach, the hacker(s) stole a copy of a backup of customers’ encrypted vaults from a storage container.
As far as data breaches at password managers go, this is about as bad as it gets. Hackers cannot steal unencrypted password vaults, since the keys for decryption are stored locally by users. Even LastPass cannot access those. However, having a copy of encrypted password vaults means hackers have free reign to attempt brute force attempts on master passwords and the backup copy was stolen about 3 weeks ago, so the hackers have potentially had a considerable head start.
So, what does this mean? Well, the stolen vault data obtained by the hackers is fully encrypted, but if decrypted, that information includes website usernames and passwords, secure notes, form-filled data, and unencrypted website URLs. LastPass uses 256-bit AES encryption, which is standard and secure. The hackers do not have master passwords in plaintext, so all is good in theory. If customers have set a password that is sufficiently complex, it would take weeks, months, or many many years to guess the right password. Then there is the volume of data that has been stolen – yet to be disclosed – so that will slow down any brute force efforts on individual accounts.
All is well and good if users have set strong passwords. The problem is many users do not, despite the fact that a master password is a key to users’ entire digital lives. A recent survey by Security.org revealed 25% of password manager users reuse their master password on other sites. That is akin to having a safe and then making copies of the key and storing them in multiple locations that are accessible to the public. If such a serious security mistake is made by so many users, what is the likelihood that master passwords are super complex?
Since master passwords must be 12 characters long on LastPass, guessing the passwords – even if they are relatively weak, would still be a time-consuming process. However, brute force attacks are not the only threat. A phishing attack targeting LastPass users to obtain their master password is a threat. This is a problem, as the hacker also obtained customer information such as their IP address, email address, telephone numbers, and billing address. That information could be used to craft a convincing spear phishing email, or be used in a vishing (voice phishing) or smishing (SMS) attack. LastPass has said it will never contact users by telephone, email, or text message requiring them to click a link to verify their identity, nor will the company ask a user to disclose their master password. That said, phishers are tricksy individuals so account holders should be on their guard.
LastPass has reset all of its corporate passwords and customers have been notified and instructed to follow password best practices. LastPass users should ensure that 2-factor authentication is activated, and if they have a weak password this should be changed. LastPass says no action is required if users followed password best practices and have a complex password.
This latest discovery is certainly bad news for LastPass, which last year was the most popular password manager. This year, users have dropped. The Security.org survey indicates LastPass has dropped from 1st to 4th place, having been overtaken by Google, Apple, and Bitwarden, all of which have benefited from the latest hacks. So, should users switch password managers or stop using a password manager altogether? Password managers can significantly improve password security if used correctly and password best practices are followed, so there is no need to stop using a password manager. Doing so would more than likely weaken security. Is a switch necessary? That is a matter of personal opinion and while it is not necessary, one thing is for sure: the password management teams at Apple, Google, and Bitwarden team will be having a very Merry Christmas.