LastPass Data Breach
As you may have heard, one of the most widely used password tools, LastPass, recently experienced a subsequent breach and whilst cybersecurity might be growing old to talk about, it remains as important as ever. We are keeping a close eye on the information released about the LastPass hack in 2022 (reported in September, and subsequent updates in November and most recently December 2022). As the investigation continues, the information has revealed more data has been accessed than originally understood, and as such, unfortunately, opinion pieces and speculation have continued to increase and are clouding the information.
A snippet of the full and official December release from LastPass reads:
To date, we have determined that once the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.
The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data. These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass.
Simplified, this means that the hackers have sufficient information to target individual LastPass users with targeted Phishing, Credential Stuffing and potentially enough information to narrow down their hack attempts to individual account site password records. For example personal or company banking website records you may have stored in LastPass.
What has not changed, is the position that due to their Zero Knowledge architecture, entire password vaults remain encrypted behind each users Master Password. If this is a strong password (Lastpass Best Practice), your passwords and secure notes remain safely encrypted as a whole.
Another snippet from the official release suggests the following:
If you use the default settings above, it would take millions of years to guess your master password using generally-available password-cracking technology. Your sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass’ Zero Knowledge architecture. There are no recommended actions that you need to take at this time.
However, it is important to note that if your master password does not make use of the defaults above, then it would significantly reduce the number of attempts needed to guess it correctly. In this case, as an extra security measure, you should consider minimizing risk by changing passwords of websites you have stored.
Our recommendations are as follows:
- If you did not create a master password following this best practise we recommend you consider refreshing your stored website passwords.
- Additionally, if you have saved individual website passwords that are considered weak, we recommend that you consider refreshing these website passwords.
The safest posture is to recognise that it is not "if" but "when" a breach will eventually impact you and your business. We continue to recommend that a password tool encourages the right password complexity and hygiene behaviours and is a significant step above individually managing passwords. Single Sign On (SSO) via Identity Management (like Microsoft's Azure or Google IAM) is still the strongest authentication you can have as it removes the requirement for an additional website passwords, and we encourage setting this up wherever possible.