February 2, 2023

Money News PH

The Premier Blog Where Money Talks

LastPass Data Breach: It’s time to ditch this password manager

You’ve heard it over and over again: you need to use a password manager to generate strong, unique passwords and keep track of them for you. And if you finally took the plunge with a free mainstream option, especially in the 2010s, it probably was LastPass. For the security service’s 25.6 million users, however, the company made a worrying announcement on December 22: A security incident the company previously reported (on November 30) was actually a massive and worrying data breach involving encrypted password vaults disclosed — the crown jewels of any password manager — along with other user data.

The details LastPass released about the situation a week ago were so concerning that security experts quickly began urging users to switch services. Now, almost a week after the disclosure, the company has not provided any additional information to confused and concerned customers. LastPass has not responded to WIRED’s multiple requests for comment on how many password vaults were compromised in the breach and how many users were affected.

The company hasn’t even clarified when the breach occurred. It appears to have been sometime after August 2022, but the timing is significant, as a big question is how long it will take attackers to begin “cracking” or guessing the keys used to encrypt the stolen password vaults will. If attackers had three or four months with the stolen data, the situation for affected LastPass users is even more urgent than if hackers only had a few weeks. The company also didn’t respond to WIRED’s questions about a so-called “proprietary binary format” it uses to store encrypted and unencrypted vault data. To characterize the magnitude of the situation, the company said in its announcement that hackers “were able to copy a backup copy of customer vault data from the encrypted storage container.”

“In my opinion, they’re doing a world-class job of detecting incidents and a really, really terrible job of preventing problems and responding transparently,” said Evan Johnson, a security engineer who worked at LastPass more than seven years ago . “I would either explore new options or see a renewed focus on building trust from their new management team over the next few months.”

The breach also includes other customer data, including names, email addresses, phone numbers, and some billing information. And LastPass has long been criticized for storing its vault data in a hybrid format in which items like passwords are encrypted but other information like URLs are not. In this situation, the plaintext URLs in a vault could give attackers an idea of ​​what’s inside and help them prioritize which vaults to crack first. The vaults, which are protected by a user-selected master password, pose a particular concern for users looking to protect themselves after the breach, as changing that primary password now with LastPass does nothing to protect vault data that has already been stolen.

Or, as Johnson puts it, “With recovered vaults, the people who hacked LastPass have unlimited time to attack offline by guessing passwords and trying to recover specific users’ master keys.”