LastPass was hacked. It was a bad, bad hack.
If you use LastPass, your passwords are probably fine. LastPass uses a very secure method to protect your secrets. You don’t have to panic.
Isn’t the word “probably” an annoying thing to see in that sentence? Wouldn’t you rather have me say that you’re completely protected? Me too. The qualification is: you might be at risk if you use a short master password, eight characters or less, OR if your master password is crappy. If your LastPass master password is a single dictionary word and an exclamation point, the bad guys might break into your LastPass vault. Sorry.
If your master password is reasonably complex, stand down. Slow your breathing. Wait for the adrenaline to wear off. You’re safe enough.
What you should do
If you are NOT currently using LastPass but considering a password manager, don’t choose LastPass.
If you are a LastPass user, switch to a different system. Our trust in LastPass is broken. I’ll tell you more about that below.
Make no mistake: switching to a different password manager is a pain in the ass. You’ll have to do a bunch of fiddly tech stuff to move your passwords to another app. You have a lot of muscle memory with LastPass; the next app will be different. It might be better, it might be worse, but that’s not the point. We don’t deal well with changing familiar things. If you’ve been using LastPass features like sharing passwords among family members and storing files and PDFs, you may have to start over to set those up with the next app.
Many people have strong opinions about password managers, especially tech folks. If you were fully informed and kind of geeky, you might decide you want an app that does not sync to the cloud, or that runs on Linux, or that has some weird feature that’s meaningful to you. Be free. Do your research. Fly, my beloved nerds.
If you want guidance and you trust me, choose 1Password as the replacement for LastPass. Read this article before you get started with 1Password. It has advice about what to expect and how to get started. Since I wrote that article, 1Password has improved its Chrome extension (ignore my comments about Chrome in the article), and does a much better job auto-filling password fields on iPhones and Android phones.
If you choose 1Password, follow the instructions to print the Emergency Kit and store a copy of it in a safe place. Don’t blow by it. Write your master password in the blank and keep the Emergency Kit page with the other papers that you would store in a safe if you had a safe. If you forget your master password, you will be able to get back into the account if you have the Emergency Kit. You may be locked out forever if you forget the master password and you don’t have this backup. There is a lengthy encryption key in the Emergency Kit – an extra layer of security beyond what LastPass relies on.
How LastPass lost our trust
I left LastPass two years ago but not because of any security concerns. I left after a series of customer-hostile price increases and cuts in services. I put it this way:
After my last article you probably understand why I left LastPass.
I’m pissed.
I’m angry at the modern world with its overemphasis on short-term profits. I’m angry at the venture capital and private equity firms that suck money out of nice companies and discard the husks.
I’m angry at LastPass for making a useful product worse, for unfair business practices, and for taking away the utility of a fine free product which had helped it build tremendous goodwill.
LastPass had already suffered through several hacks at that point but their architecture seemed secure and private data was never at risk. The hacks were embarrassing but I didn’t think it was necessary to suggest that everyone leave LastPass. Most normal people were well-advised to stick with something familiar and trusted.
LastPass is one of the best-known consumer-facing security companies. It is responsible for the most important private information for more than 30 million users.
You might expect it to devote all of its energy to hardening its security. This is a company that ought to be bulletproof.
Instead, its owner – previously LogMeIn, now GoTo – decided to spin it off. A year ago it announced plans to make LastPass an independent company. As near as I can tell, it never completed the spinoff. But apparently it also didn’t put any money into making LastPass stronger.
That fulfills the prediction I made in 2021, less than six months after new owners acquired LogMeIn:
In August 2020 LogMeIn was acquired by private equity companies with a record of milking existing customers to get a quick revenue boost, then spinning off profitable divisions.
How LastPass was hacked
This year’s incident started when LastPass announced that it had been hacked in August 2022. No customer data was taken but the company’s source code was stolen. That’s bad but it doesn’t necessarily mean the sky is falling. There were a lot of questions – the LastPass statement was noticeably vague about details – but users didn’t have to take action.
In November LastPass said, oops!, some of the stolen info was leveraged by the bad guys to compromise other stuff. “We are working diligently to understand the scope of the incident and identify what specific information has been accessed.”
Good news! They figured it out. And they concealed what they found out until December 22, literally the last minute before everyone left for the holiday break. Five paragraphs into their announcement, they mentioned in passing that hackers had obtained a copy of their entire customer vault data. That includes your passwords (encrypted with your master password, which the company doesn’t know), plus a few other minor things that apparently are not encrypted, like your name, billing address, email address, phone numbers, all of the website URLs you’ve visited, and IP records that allow tracking of your locations and movement. Double-oops!
The timing of the announcement was obviously intentional, an attempt to keep news coverage low, even if that meant ruining the holidays for IT departments and security professionals worldwide. One ominous paragraph: “We have already notified a small subset (less than 3%) of our Business customers to recommend that they take certain actions based on their specific account configurations.” Three percent of their business customers – that’s about 2500 companies that got a note advising them to change all of their employees’ passwords for everything stored in LastPass. I doubt if those IT folks had a great Xmas.
Virtually every sentence of their announcement was untrue or misleading. This is a good dissection of the statement. The LastPass statement also attempts to lay groundwork for blaming customers if password vaults are decrypted.
Are you at risk?
LastPass accounts created after 2018 are required to have long master passwords (12 characters or more), and there are settings behind the scenes to improve the encryption on your vault. As long as your master password isn’t completely stupid, you should be fine. (Completely stupid = a single long word followed by an exclamation point or something else easily guessed by powerful computers with nothing else to do.)
If you have a complex master password and an older LastPass account, you’re still okay, but there’s an asterisk. The improved encryption is supposed to have been rolled out to everyone – the company said it was doing that in 2018. “We have increased the number of PBKDF2 iterations we use to generate the vault encryption key to 100,100. The default for new users was changed in February 2018 and we are in the process of automatically migrating all existing LastPass users to the new default.” Unfortunately, there are lots of anecdotes from people discovering that the important setting was never turned up for their encryption, making it easier for powerful computers to guess the master password by brute force. It’s still not easy but jeez, there are a lot of determined bad guys with powerful computers and a lot of patience.
If you have a short master password (eight characters or less) on an older account – well, a bad guy could probably break into your vault. Your only protection is that you may fly under the radar – they’ll start with high profile and high value accounts and they might not ever get to you.
Could LastPass have prevented the hack?
Security is complicated. I’m not a security professional.
But I can tell you an anecdote of two hacks that also happened in August 2022.
Twilio was hacked when a sophisticated phishing operation used text messages to trick employees into giving up passwords and 2FA codes. The hackers were able to access customer data.
Cloudflare was hacked by the same bad guys using the same techniques. But the bad guys got nothing from Cloudflare. Everyone with authority to access the Cloudflare system is required to use a hardware key for authentication. The hackers could not get past the hard key requirement.
Hardware keys have been around for more than a decade. One example of how effective they are: in 2018, Google said: “At Google, we have had no reported or confirmed account takeovers due to password phishing since we began requiring security keys as a second factor for our employees.”
LastPass admitted that its hack occurred when an employee was targeted and their credentials were stolen.
If LastPass required hardware keys for its employees, maybe the hack would not have been possible. Maybe. I dunno. It’s a complicated world.
But damn it, LastPass, we counted on you, and now the bad guys have our stuff! It’s obvious that LastPass could have/should have been doing more.
Enough is enough. It’s time to leave LastPass.