LastPass Breached: What to Do Next and Alternatives to Consider for Secure Password Management
If you're a LastPass user, you may have recently heard about the significant data breach the company experienced. The breach was massive, with attackers taking customer vault data from the company and leaving many people worried about the security of their personal information.
This breach is a significant reminder that password security is more important than ever before. I’ve been a big proponent of using password managers, and I have used LastPass as my defacto app and I’ve always recommended LastPass. I think it’s important for me to give you some direction at this point. If you’re using LastPass and you’re reading this, there’s a pretty good chance you’re using LastPass because of my advice.
On side note: I also believe that passwords right now are a bandaid to the identity problem and eventually, in the not-so-distant future, usernames and passwords as we use them today will be a thing of the past. I am almost certain that we'll do away with them, but that's fodder for another discussion.
I should mention that whether you stay or leave LastPass If you have used it before January of 2023, YOU MUST CHANGE all your passwords immediately. If you don’t read anything beyond this point, know that YOU MUST do this now. Change your master password and change all passwords for all accounts managed from within your LastPass account.
Before I go on, you do NOT have to leave LastPass, but the general consensus is that you leave LastPass; allow me to explain.
The LastPass Breach and Its Impact
TL;DR
If you don’t have time to read this or don’t have interest, then just know that LastPass was breached, it seems to be a big deal and the experts say we should leave LastPass. LastPass claims we're safe, and I tend to agree, but given the severity of this and all the expert opinions, I suggest you change all your passwords for any account you had stored in LastPass, and perhaps find yourself an alternative. I’m using 1Password and so far it’s good, if you want to read more about my thoughts on this, then grab a cup of coffee and read on.
End of TL;DR
Ok but let me explain why I am not convinced you have to leave LastPass.
And this should come with 2 full disclosures.
Disclosure 1, most security experts out there are suggesting that you need to leave LastPass; this is too much, and we shouldn’t have any trust left for LastPass.
Disclosure Number 2, while I don’t necessarily agree with that stance, I am moving to a different app. If I had any significant following in social media, the security experts would lambast me for the opinion that you don’t need to leave LastPass, so I’ll address that first.
Should You Leave LastPass?
Suppose you are using a strong master password and managing only a handful of passwords, from 30 to a couple of hundred.
In that case, you do not have to leave LastPass, IF all the passwords you manage in LastPass are changed immediately. IF all the accounts you have in LastPass can have a new email associated with it, and IF you activate 2FA on all of the accounts.
That's a lot of Ifs.
Assessing Your LastPass Data
What if you have data other than usernames and passwords stored there? First, get clarity from LastPass whether that “extra” data you added in LastPass is encrypted at all. Only you can determine what type of extra data you had in there.
LastPass’ website says that notes are encrypted just like usernames and passwords. But realize that whether it’s encrypted or unencrypted, the perpetrators now have that data of notes and generally speaking, you can’t just change that information.
Some of this data is immutable, so it’s not realistic to tell you to change it, such as social security numbers, bank account numbers, health id information, secret recipes, combination codes, crypto keys, and I can think of a dozen other more specialized types of data people keep in there.
That should be a concern, and I don’t have a good suggestion for you in this regard; it’s not like I can tell you that you should change your social security number.
But I would tell you that you should definitely move your crypto to a new wallet if you were dumb enough to keep your wallet recovery codes in a digital note in LastPass. I would suggest you update your combination codes if you have them listed in there, and so on and so forth.
So if you have more than just usernames and passwords, moving away from LastPass may not do anything; all you can do is hope the bad guys don’t break into your stolen vault.
You could actively recreate everything that you saved in there, which depending on what it is, may prove to be nearly as impossible as breaking into the vault in the first place; improbable but not impossible.
In a way, this situation is the ultimate test of strength for LastPass. It's like being a prepper and preparing for the moment of catastrophe. Have you prepared well enough? Do you have enough water, food, and shelter?
Everything that LastPass has promised is now on the line and being put to the test.
We're literally one step away from this being the worst disaster in context, which could only happen if the bad guys somehow stole the vault data AND your individual master password.
As someone with decades of experience in the IT industry, I tend to analyze situations by asking questions. So, let's scale this problem down and imagine what would happen if you lost your laptop in a public place and someone maliciously stole it.
They would have access to your full desktop environment, including the local data the LastPass app has saved. Although the vault may still be locked and inaccessible without the master password, all the other data on the laptop could be compromised. Therefore, it should be treated as if all of it were certainly compromised.
What would you do next? Lock down everything, secure everything by implementing a lockdown, changing passwords, and maintaining a state of heightened vigilance for some time.
Given the amount of exposure this brings to LastPass, I assure you they're doing all of this and then some. But what would you actually do in the case of the stolen laptop? You would do the same as you need to do right now.
Steps to Secure Your LastPass Account
Now, what's your next step? Immediately change and update all the passwords and sensitive data saved in the app, including the master password to your vault.
That way, if the malicious party discovers your LastPass vault and manages to break in, you'd be ahead of them by having already changed all your passwords. Most experts agree that with our current technology, it would take years to break the encryption of your vault, provided you had a solid, strong password.
Combine that with other best practices, and you'll be confident that your data is safe since you changed everything before they broke into your vault.
Despite the infosec community's response with absolute certainty that you must move and ditch LastPass, I like to ask questions to really analyze a situation and have a reasonable response.
While it's true that this situation challenges LastPass's zero-knowledge architecture approach, perhaps it could also make them even stronger if they can demonstrate that their approach prevented major problems even in this worst-case scenario that has come to life.
Whether you decide to stay with LastPass or not, it's important to remember that you're racing against time and the hacker is trying to beat you. Change all the usernames and passwords you can on the off chance that they are able to break into YOUR vault.
Keep in mind that the thief stole almost everyone's vaults, so they would have to break into each vault one at a time. There's no way for them to tell which vault belongs to you (I assume, but could be wrong), so they wouldn't know which one to target specifically.
Now, let me answer a few more questions. Why don't I tell you to leave LastPass outright? And why am I leaving?
First, why am I leaving LastPass?
Viability, usability, and trying something new. My leaving is an action I’m taking more from a business point of view than from a technical or practical perspective. LastPass may not recover from this; we'll see in a few years.
I rather make a move now knowing that the new alternate service is thriving and will continue to develop and innovate, than in contrast, I think that LastPass will spend a huge portion of its resources doing damage control and selling themselves as an option and thus will not be as focused on new development, or innovation.
It's already happening; you're seeing other password managers capitalizing on the LastPass blunder. And a blunder it is because if we want to get into the nitty gritty, the LastPass breach wasn't even a big technical breach, I mean it is sophisticated how they found and took everything that they needed, but it seems initially the first step to gaining access was a social engineering hack.
The thing that is most frustrating for me is that the hack wasn't even a technical hack. There was no sophisticated programmer behind the scenes hacking into the network servers and finding operating system vulnerabilities and all the romanticized ways we see hackers operate in the movies, you may have an idea of something like Swordfish where the hacker broke into LastPass like this:
But, no.
They first broke in with a social engineering hack, as are most major security breaches. It's always the human element; you would know if you have read Kevin Mitnick's books, if you haven't, then you should read The Art of Deception and Ghost in the Wires.
Basically, a social engineering hack might go something like this:
The attacker calls someone in the company and says something to the effect of,
— “hey, I can't get into XYZ server, I think the password changed, can I have the new one please?”
And the person on the phone passes the information on.
I’ve simplified it a lot, but there are many reasons why the person answering the phone might divulge sensitive information and that’s what Mitnick’s books are about.
I Highly recommend them.
Of course, I'm simplifying it for brevity, but it seems that the initial access that eventually led to the huge breach was a social engineering or phishing hack. The latest report says that they got in through one employee's home network. Clearly a failure in standard operating procedures, and a network and security admin's worst nightmare.
That's somehow what seems to have happened, and as far as the current situation for you as a user of LastPass, the details of the breach are mostly inconsequential.
But if this interests you, then you should definitely read the two books I mentioned, if you prefer to stick with the movie analogy, the hack was more Catch me if You Can than Swordfish.
I’m also leaving LastPass because of all the infosec experts advocating that we move. I’m an expert in what I do, and most of my readers see me as an expert. But in the info security field, I’m a journeyman at best; you may see me as super knowledgeable and capable of doing everything right in your business and for you, but compared to a cyber security engineer who specializes in this day in and day out, I’m just not even in the same league.
So it is my professional duty to follow the best practices and do everything I’m supposed to do to keep my data and your data safe. My gut tells me that even if we stay in LastPass we are safe, but every source I trust is telling me me we’re not.
There is the element of asking ourselves, if they were so careless to let a breach like this happen, are they really capable of maintaining our trust moving forward? I think that’s the biggest reason why experts are advising us to leave lastpass.
I’m not certain if they’re buying into the hype and just dogpiling on LastPass, or if there is truly something I’m missing from a technical point of view.
Another reason I’m moving is that I like to try different apps, so this is a good chance to do this, LastPass has ignored so many usability issues and it isn’t the friendliest overall so this was a good time. Let's hope 1Password is better in that regard.
Finding a LastPass Alternative
I’ve settled on 1Password for now, but I considered a few others, Dashlane, KeePass (offline) and even Bitwarden.
1Password offers a seamless transition over to their service, even offering to pay the remainder of your bill with LastPass.
I have been a strong supporter and advocate for LastPass. I've been forgiving of their poor UI for over 12 years because their architecture promised that using their method keeps everyone safe since they never know your password.
This is still true, but to get around that, the hackers thought: “ok, let's just steal the whole thing,” and then they'll try to break into it “later” when they have all the time in the world.
And yes, the encryption level should indeed make the breaking of an individual vault really difficult, or nearly impossible. 20 years ago, we could have said that it would be impossible. With the advancements in computing, as they are progressing, the comfort LastPass is showing in their encryption could be misplaced, and in fact, maybe there's a cluster of computers right now deciphering our vaults.
Given what we've seen with robotics, AI, and the tech field at large and the advancements made, can we really trust that “they won't be able to break into our vaults” or “don't worry, it would take 100 gazillion years”?
Maybe.
But I rather move to a new service, experience better usability and remember that my own security practices must prevail over any and all promises these password managers may entice me with.
Taking Charge of Your Online Security
I'm in charge of that security, and tools like LastPass, 1Password, Dashlane, and others are just tools, one more layer to protect me, but not really responsible for my data.
I must ensure my passwords are strong, and randomized, using all characters and as long as possible. I need to make sure each and every account I own or manage has the most robust security level enabled. 2FA is now becoming mainstream, so every single account that offers it should be using it.
You should always think like this and approach your security strategy like this.
Brief reminder:
- Use strong passwords, random with all the characters available.
- Change them frequently.
- Don't use the same password twice or for two services.
- Lock all your passwords with a password manager.
- Lock and have a lock screen on your computer.
- Lock and have a lock screen on all your other devices.
- Don't leave accounts logged in while not in use.
- Don't click on unsolicited links, text messages or emails.
Further reading:
ZDNet. (2023, February). LastPass breach: Hackers put malware on engineer's home computer to steal their password. ZDNet. https://www.zdnet.com/article/lastpass-breach-hackers-put-malware-on-engineers-home-computer-to-steal-their-password/
TechCrunch. (2023, January). Goto customer backups stolen in LastPass breach. https://techcrunch.com/2023/01/24/goto-customer-backups-stolen-lastpass/
Kiplinger, Personal Finance. (2023, January 19). What You Need to Know About the LastPass Hack. https://www.kiplinger.com/personal-finance/lastpass-hack