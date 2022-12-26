wordpress blog stats
Connect with us

Hi, what are you looking for?

Discover more:, , , ,

Explained: What Happened with LastPass and Why it Shouldn’t Scare you from Using Password Managers

The password manager data breach accentuates the importance of complex passwords and other best practices to keep your data safe.

Published

Password manager LastPass on December 22 informed that hackers were able to “copy a backup of customer vault data,” which contains “fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.” Hackers can access these encrypted fields if they crack the master password set by the user.

Why does this matter: The only thing worse than a data breach is a data breach of a password manager. Password managers are widely used for the convenience they offer of not having to remember the password for every service you’ve signed up with, but this also makes them a honeypot of sensitive information. But this doesn’t mean you stop using password managers. By simply setting a strong master password you can improve your security significantly (as you will read below).

FREE READ of the day by MediaNama: Click here to sign-up for our free-read of the day newsletter delivered daily before 9 AM in your inbox.

What happened with LastPass: A timeline of events

In a gist: 

  • No evidence of customer data compromise (August 25, 2022): LastPass published a notice saying they “detected some unusual activity” but they saw “no evidence that this incident involved any access to customer data or encrypted password vaults.” The company also indicated that it has “deployed containment and mitigation measures” and has launched a detailed investigation into the incident.
  • Investigation concludes the same (September 15, 2022): LastPass concluded its “investigation and forensics process in partnership with Mandiant” and reiterated that the hackers didn’t have access to customer data or encrypted password vaults. LastPass also shared more details on how the hackers exploited the platform and what did they have access to.
  • Unauthorised access to customer info, but passwords safe (November 30, 2022): LastPass informed that it found “an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information” but that “customers’ passwords remain safely encrypted.”
  • Hackers have customer passwords, but can’t see without master password (December 22, 2022): In its latest update, LastPass informed that some “source code and technical information were stolen” and “used to target another employee, obtaining credentials and keys” which were then used to steal backups of basic data of customers as well as customer vault data.

What customer data has been compromised?

1. Encrypted customer vault data: 

  • website usernames
  • passwords
  • secure notes
  • form-filled data

2. Unencrypted customer vault data: 

  • website URLs (this could give the hackers a good idea of what site you use, allowing for targets attacks like phishing scams)

3. Account information and related metadata:

  • company names
  • end-user names
  • billing addresses
  • email addresses
  • telephone numbers
  • IP addresses

What data hasn’t been compromised?

1. Master Passwords: The encrypted fields (category 1 above) can only be unencrypted if the hackers figure out the master password of the respective user’s vault. “Encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass. The encryption and decryption of data is performed only on the local LastPass client,” the company explained.

2. Credit card data: “There is no evidence that any unencrypted credit card data was accessed. LastPass does not store complete credit card numbers and credit card information is not archived in this cloud storage environment,” the company informed.

How hard is it to crack the master password?

Hackers can attempt to use brute force (meaning they try using computers to guess various combinations of characters and get lucky) to guess the master password and decrypt vault data. How easy this is will depend on the strength of your password. For example, a 10-digit password with only numbers can be cracked almost instantly whereas a 13-digit password with numbers, upper and lowercase letters, and symbols will take 2 million years to crack. Of course, this is with the current standard of technology. As computers get faster, these numbers will reduce.

“It would be extremely difficult to attempt to brute force guess master passwords for those customers who follow our password best practices,” LastPass reassured, but we don’t know how many users followed these best practices.

Should you still use a password manager?

Yes. Unless you can remember the username and password for every site you’re on, this incident should not put you off from using a password manager since this is still safer than other forms of storing a password such as on a Google Doc or simply choosing an easy password. As you can see in the tweet above, you can be protected even from a breach as long as you have a complex master password.

  1. The takeaway from this incident is not to abandon password managers but to use a strong master password. 
  2. Never use this master password on other sites.
  3. Additionally, use two-factor authentication whenever possible so that a leaked password alone cannot be used to compromise your account.
  4. If you’re not comfortable with using LastPass, there are other password managers that have a better track record when it comes to security such as the BitWarden (which is open source) and 1Password.

What should Last Pass users do?

  1. Set a strong master password: Well, if we haven’t said enough time already, please set a strong master password, which uses numbers, lower and upper case letters, and symbols, and is at least 13 characters.
  2. Change passwords on all sites if you had a weak master password: If your master password was weak, it is likely that hackers will be able to crack it. “In this case, as an extra security measure, you should consider minimizing risk by changing passwords of websites you have stored,” LastPass advised its users.
  3. Beware of phishing attacks using unencrypted data: The threat actor may also target customers with phishing attacks, credential stuffing, or other brute force attacks against online accounts associated with your LastPass vault. In order to protect yourself against social engineering or phishing attacks, it is important to know that LastPass will never call, email, or text you and ask you to click on a link to verify your personal information. Other than when signing into your vault from a LastPass client, LastPass will never ask you for your master password,” the company informed. 

What is LastPass doing to address this incident?

It is safe to say that LastPass is going to require a lot to rebound from this incident and regain user trust, but here are the steps the company has taken so far:

  • New development environment: LastPass has decommissioned the development environment, which played an instrumental role in the breach, in its entirety and is “rebuilding a new environment from scratch.” 
  • Logging and alerting measures: The company also “added additional logging and alerting capabilities to help detect any further unauthorized activity including a second line of defence […] to supplement our own team.”
  • Rotating certificates and credentials: LastPass said that it is “actively rotating all relevant credentials and certificates that may have been affected and supplementing existing endpoint security. We are also performing an exhaustive analysis of every account with signs of any suspicious activity within our cloud storage service, adding additional safeguards within this environment, and analyzing all data within this environment to ensure we understand what the threat actor accessed.”
  • Ongoing investigation: This remains an ongoing investigation. We have notified law enforcement and relevant regulatory authorities of this incident out of an abundance of caution. […] In the meantime, our services are running normally, and we continue to operate in a state of heightened alert,” the company informed.  

This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.

Also Read

Discover more:, , , ,
Written By

Click to comment

You must be logged in to post a comment Login

Leave a Reply

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.

Views

News

DPDP Bill 2022: ‘Deemed’ Consent, to users’ detriment

In the case of the ‘deemed consent' provision in the draft data protection law, brevity comes at the cost of clarity and user protection

December 12, 2022

News

What’s missing from the Consent Manager framework in the Data Protection Bill, 2022

The regulatory ambivalence around an instrument so essential to facilitate data exchange – the CM framework – is disconcerting for several reasons.

December 10, 2022

News

Protecting Personal Data: Where Grievance Redressal Falls Short

The provisions around grievance redressal in the Data Protection Bill "stands to be dangerously sparse and nugatory on various counts."

December 9, 2022

News

How does the new data protection bill affect platform gig workers?

By Soujanya Sridharan and Dr. Sarayu Natarajan Platform work and data: the intersection Every time you use a ride-hailing app, the matching algorithm processes...

December 8, 2022

News

DPDP Bill 2022: A Balance of opportunities and data protection objectives

New bill narrows focus over predecessors that went heavy on data sovereignty, localisation and compliance. What explains this change?

December 6, 2022

Please subscribe to MediaNama. Don't share prints and PDFs.

You May Also Like

News

Search queries for international air tickets growing at 43% – Google

Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...

March 23, 2016

Advert

Advertisement: 135 Digital Job Listings at JobNama – 9th June 2010

135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...

June 9, 2010
Twitter Twitter

News

Twitter takes down tweets from MP, MLA, editor criticising handling of pandemic upon government request

By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

April 24, 2021

News

Ola, Uber drivers say they are exhausted, fear being wiped out

Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...

February 24, 2021

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Name:*
Your email address:*
*
Please enter all required fields Click to hide
Correct invalid entries Click to hide
No spam, ever. Promise.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ