The details LastPass provided about the situation last Thursday were troubling enough that security professionals quickly began asking users to switch to other services. Now, nearly a week after the disclosure, the company has not provided any further information to confused and concerned customers. LastPass did not respond to WIRED’s multiple requests for comment on how many password vaults were compromised in the breach and how many users in general were affected.
The company has not even clarified when the breach occurred. It appears to have been sometime after August 2022, but the timing is significant because a big question is how long it will take for attackers to start “cracking” or guessing the keys used to encrypt stolen password vaults. If the attackers have already had three to four months with the stolen data, the situation is even more pressing for affected LastPass users than if the hackers only had a few weeks. The company also didn’t respond to WIRED’s questions about what it calls “a proprietary binary format” it uses to store encrypted and unencrypted vault data. In characterizing the scale of the situation, the company simply said in its announcement last week that the hackers were “capable of copying a backup of customer vault data from the encrypted storage container.”
“In my opinion, they’re doing a world-class job of detecting incidents and a really poor job of preventing issues and responding transparently,” says Evan Johnson, a security engineer who worked at LastPass over seven years ago. “I would look for new options or look to see a renewed focus on trust building in the coming months from their new management team.”
The breach also includes other customer data, including names, email addresses, phone numbers, and some billing information. And LastPass has long been criticized for storing its vault data in a hybrid format where things like passwords are encrypted, but other information like URLs aren’t. In this situation, the plaintext URLs in a repository could give attackers an idea of what’s inside and help them prioritize which repository to work with first. Vaults, which are protected by a user-selected master password, pose a particular problem for users looking to protect themselves following the breach because changing the master password now with LastPass will do nothing to protect vault data that is already been stolen.
Or, as Johnson puts it, “By restoring vaults, people who’ve hacked LastPass have unlimited time for offline attacks by guessing passwords and attempting to recover a specific user’s master key.”
This means LastPass users should go through their vaults and take additional steps to protect themselves, including changing all of their passwords.
Start by turning on two-factor authentication for as many accounts as possible, especially high-value accounts like your email, financial services, and heavily used social media accounts. That way, even if attackers compromise your account passwords, they can’t actually log in without the one-time code or hardware authentication key you added as a “second factor.” After that, change the passwords for all those high-value and sensitive accounts. And then change any remaining passwords stored in your LastPass vault.
While you’re doing all of this (or at least as much as you can), it’s high time you switched to a new password manager. You can add accounts to the new service as you change them. WIRED recommends 1Password and the free Bitwarden service along with some alternatives. We haven’t recommended LastPass since the company scaled back its free offerings a couple of years ago, as LastPass had suffered a number of past security incidents before this latest, most serious breach was revealed.
“One hundred percent, yes, people should switch to other password managers,” says a senior security engineer, who asked not to be named due to professional relationships with people on the LastPass security team. “They have failed to do the one thing they are supposed to provide: secure cloud-based credential storage.”
Security professionals universally point out that the situation with LastPass shouldn’t stop people from using password managers in general. And if you’re a loyal LastPass user, you should still change your vault password, turn on two-factor for every account that offers it, and change all the passwords in your vault even if you don’t migrate somewhere else in the process.
“As someone with experience in handling and communicating data breach notifications in the EU, I would argue that LastPass’ chosen communication strategy could undermine user trust,” says Lukasz Olejnik, independent privacy researcher and consultant. “The big problem is also the timing. Why do it just before the end of the year holidays when the initial investigation started months ago?
As Jeremi Gosney, a longtime password cracker and senior principal engineer on Yahoo’s security team, he wrote this week in a large series of posts about the situation: “I used to support LastPass. I’ve been recommending it for years and defending it publicly in the media… But things change.”