Center For Practice Management, Cloud Computing, Ethics, Security

Lessons from the LastPass Breach

LastPass, the popular password manager, has suffered a breach. If you are a LastPass user it is time to decide if you will stay or go. If you stay, what steps should you take to protect your LastPass vault? If you go, where to? What are best practices to consider when using password managers in the harsh light of breach notification? Read on!

What Happened?

According to a detailed timeline published by Naked Security, in August 2022 LastPass, the password management application, had a breach. LastPass communicated with customers, but with little information about the impact other than they did not see evidence that the hackers accessed customer data or their encrypted password vaults. In September 2022 they issued a follow-up notice to customers with assurances that their system design and controls prevented the threat actor from accessing customer data and encrypted password vaults. Then in November 2022 they revealed the hacker had gained access to certain elements of customer information. Next, in late December 2022 they sent another missive to customers to let them know that basic account information and related metadata had been accessed, as well as accessing a backup of customer vault data. LastPass assured customers that their LastPass password and the encrypted passwords in the vaults remained encrypted.

What Was Exposed?

Again, according to Naked Security, hackers accessed unencrypted customer information including billing address, phone number, payment card details, company names, end-user names, email addresses and IP addresses from which customers were accessing the LastPass service. The threat actor also made a copy of the backup of the customer vault data, which include URLS for the websites that go with each encrypted username and password. Because of the amount of time between the first attack and the second, if you didn’t change your LastPass password between August and September then the hacker has the vaults and all the time in the world to hack your LastPass login password.

What Should I Do Now?

If you are a LastPass subscriber to the free or paid plans all users should immediately change their LastPass password to something long, strong, and unique. Enable 2FA (two factor authentication) on the account, preferably using a third-party authenticator like Google Authenticator, Microsoft Authenticator, or Duo Mobile. These authenticators are apps that are installed on your smartphone and provide a single use and timed code to access the protected accounts. Due to SIM swapping and other issues (like re-routing text messages) it is no longer a best practice to use a numeric code sent via text to your mobile phone.

The next step is the onerous process of changing all your passwords. Start with the accounts with the most sensitive information, like your bank, credit cards, credit bureaus, and investments. Next move on to your email account(s), social media, and firm cloud subscriptions. Beyond those, consider logins where you have credit card information stored like airlines, retail, and utilities.

Finally, consider whether you will leave LastPass. There are plenty of alternates to choose from, this list from Wired breaks down the options. You can even have a locally installed password manager like KeePassXC, KeePass, or Enpass so the passwords are not stored in the cloud. Wired also suggests that “Yes, It’s Time to Ditch LastPass”. Fortunately, it is easy to move from one password manager to another since you can export your LastPass vault in a CSV format and upload it to another service.

To leave LastPass you will want to first export your data in CSV. Then cancel your subscription so you will not be auto billed. Then uninstall the browser extension and the app. Finally, delete your account. If you are moving to another password manager most let you import your password list. Remember that CSV file is extremely sensitive so once you have uploaded it to another manager shred it or permanently delete it from your computer. Don’t save the file where it will be synchronized or backed up.

Other Actions to Take

The LastPass breach is a good reminder to always keep an eye on the news and be ready to protect yourself, your firm, and your data. Here are a few take-aways to remember, given the news about the breach:

  • Don’t store super sensitive passwords in a password manager, including passwords for bank accounts, your network or computer login, and your email account.
  • Don’t store credit card information in a password manager.
  • Set up 2FA for all your online accounts and use an authenticator instead of text messages (when possible).
  • Keep up with cybersecurity news. Sadly, LastPass was not as clear about the extent or impact of the breach with customers as it should have been.
  • Use a creative username instead of using your email address when creating a login if possible.
  • Rethink whether you should be using a password manager to fill in forms.
  • Don’t put all your eggs in one basket. Although many password managers provide space to store sensitive documents, consider storing them elsewhere like a digital vault or a zero-knowledge cloud storage product or using an add-on like Cryptomator to protect Google Drive or OneDrive.
  • Keep a close eye on bank statements, credit card activity, and freeze your credit accounts.
  • Watch for an increase in phishing emails.
  • Look at what devices are logged into your accounts.  If you don’t recognize one, then remove it. Have you given third party apps access to your account? You can remove these if you don’t recognize them.
  • Create a unique username and password for logins instead of using your Apple, Facebook, or Google credentials to log into accounts.
  • Consider using a dynamic IP address instead of a static IP address when you can.

Conclusion

Password managers are still recommended by security pros. Keeping your passwords in a notebook might seem like the safest approach, but that notebook is a security risk too. The promise of a passwordless future by using passkeys is coming near, but we will still rely on passwords in the short term. Continue to follow the best practices for long, strong, and unique passwords and stay flexible enough to react quickly to potential threats.