Home

 › 

Articles

 › 

LastPass Suffers Second Breach in Six Months

lastpass breach

LastPass Suffers Second Breach in Six Months

Popular password management service LastPass has been a frequent target for security breaches. This attack leveraged information gleaned from August 2022’s breach. LastPass prides itself on the principle of making life easier for its user base. After two major hacks, many are unsure if the service is worth using.

In a recent blog post, LastPass disclosed that an unauthorized actor gained access to the cloud service used for production backups. During the previous breach in August, unauthorized users did not disclose any customer data.

However, the attackers obtained personal information during the most recent attack. LastPass claims that the affected data is encrypted using the AES standard, but it is of concern because the attackers also gained access to billing addresses, IPs, and other personal data.

How Does This Affect LastPass Users?

LastPass confirmed that among the data compromised, passwords and other personal identifying portions of data were present. This doesn’t pose a grave concern if you have good password practices. If you are prone to reusing passwords, this might be something to worry about. The company states the data disclosed is encrypted and useless to hackers.

Major concerns arise from LastPass storing numerous credentials like credit card numbers, passwords, and sensitive notes and documents. As a company that touts itself as a secure means of consolidating and storing credentials, it is unthinkable to have such a major breach occur.

hilarious names for your Wi-Fi
LastPass CEO said that cloud storage keys were stolen from a LastPass employee

.

©Vitalii Vodolazskyi/Shutterstock.com

Current LastPass customers should take the time to change their master passwords. They might also consider moving their data to an alternative service.

LastPass has had a stellar free plan for years. This most recent disclosure has left the details of many personal lives in the hands of bad actors. 25.6 million customers use LastPass. If even a fraction of those users is active, they are at risk.

Do I Need a Password Manager?

If you’re like anyone else on the planet, you have dozens to hundreds of passwords across multiple services. Good password practices can make keeping track of all these passwords a bit of a chore.

When you consider ideal password practices dictate the usage of passwords greater than 12 characters in size and containing zero common phrases, it’s a bit hard to develop a system for remembering things.

Password managers are useful utilities, and make managing the myriad of credentials easy. A password manager is only as good as the support network behind it, however.

LastPass has plenty of competitors, some of whom are even vocally decrying the response to this most recent breaching incident. The sad truth is that any password manager with an online component is a target for attacks.

If you do consider a password manager, KeePassXC is a local one. It keeps all your vital information stored in a vault on your desktop or laptop. It lacks mobile functionality, but the software is free to use with no monthly plans associated. Online alternatives like 1Password, BitWarden, and others are great as well. They are no strangers to attacks, but you want password management with transparent communication in the event of an incident.

Looking at the LastPass Breach

August 2022 saw a bad actor compromise a third-party cloud service where LastPass stored production data. The hacker was able to perform the attack over a four-day period. They noticed the incident and implemented remediation at this point. During this process, LastPass notified users and law enforcement officials of the breach and subsequently removed the development environment.

December 2022 saw a more catastrophic incident, with full disclosure of user vaults, billing information, personal information, and IP addresses. Credential stuffing, or the use of stolen usernames and passwords, provides the method of attack. This method uses automated tools to input stolen usernames and password pairs until there is a successful entry.

This is an iterative attack, with the previous August attack providing the means for the December attack. Customer vaults and passwords alike are in the hands of hackers, and they have this data stored offline.

LastPass assures users that encrypted personal data is impossible to crack, but anyone with the drive and means can crack something, given enough time. It also begs the question of why LastPass’s previous production environment was insecure. Hackers leveraged the previous environment to compromise countless user accounts in only four months.

LastPass’s Vital Assets

largest cybersecurity companies
A person’s digital life is rapidly becoming a critical asset.

©Thapana_Studio/Shutterstock.com

LastPass has a good amount of sensitive data for those utilizing their services. As professional secret keepers, they store things like banking information, credit card numbers, and passwords to a variety of accounts. The payment information is easy enough to change and control before it becomes an issue.

LastPass is not unique in what it stores. Most password managers will have some degree of personally sensitive identifying information present. It is part of their stated goals, but it also leaves an enticing target for any malicious parties seeking to profit from that data.

What You Can Do To Protect Your Passwords

Protecting your passwords is a continual process, rather than a break-and-fix scenario. Passwords need to change periodically, and most enterprise and business environments require regular changes. You can store passwords in a third-party password manager, but you need to change and update them.

When your personal credentials are compromised, everything needs to change as soon as possible. This means passwords, master passwords, any potential banking card information, and so forth. Your data is sensitive, so treat it like you would any valuables in your home.

As long as there is some way to profit and exploit others, your personal data will be at risk. But taking preventative and proactive steps like continual changes goes a long way in deterring exploitation.

Some Notes About Cybersecurity and You

Cybersecurity is a continual process. What this means is there isn’t a hard solution to any problem, but instead fixes in the now. Future problems will constantly arise, that is just the nature of how hackers and security staff operate. It is a constantly evolving field, and each attack requires more sophisticated solutions to patch up in the interim.

LastPass’s security staff hasn’t necessarily faltered. They have remained communicative and transparent about how this attack has transpired. Additional steps could have been taken to prevent the attack.

It needs to encrypt production storage and use whitelisting to prevent unauthorized users from even seeing the service. Instead, what has been seen is a failure in stages. Your security, or any enterprise for that matter, is only as strong as the weakest element you employ.

A third-party cloud vendor compromised LastPass and, as a result, the service that LastPass customers trusted has compromised them. The full impact of this attack is not yet known, but active subscribers should take immediate action to secure their accounts.

There are a dozen solutions for things in hindsight. But, for now, the only thing to do is look forward and take steps to protect yourself immediately.

Frequently Asked Questions

How severe is the LastPass breach?

User data was compromised. While encryption is used for all storage on LastPass’s end, it still presents dire consequences for any unfortunate person who has their master password cracked. All stored passwords are offline on a bad actor’s storage right now, so they have plenty of time to try a variety of methods of cracking open the vault.

Are breaches common with password managers?

Password manager services present an attractive target to hackers. It is common for them to be the target of attacks. Where things might differ is how these services respond to the attacks. If you’re considering an online password manager, a little cursory research should yield results as to how they effectively respond to attacks.

What does this attack mean for LastPass?

The breach occurred on December 2nd, and at the time of this writing, there is still an ongoing investigation into the scope of the breach itself. The most recent update was published on December 22nd and it can take a fair amount of time with operations this complex to ascertain where things are going.

Whether this has long-term severe consequences for LastPass remains to be seen, but it certainly has brought them a fair bit of criticism from those in the security field.

Are any password managers secure?

Any online service is only as secure as the weakest element in its toolchain. Many online platforms have taken to offloading certain elements of their production environments to the cloud, and the cloud carries its own set of risks.

Cloud services are off-site platforms, meaning the organization which manages them is also managing their security. Security for whatever companies are contracting the cloud services has no bearing on the security considerations of the cloud provider.

This means that in the event of a compromise, like what happened with LastPass this August, it creates a very severe risk where both companies are having to scramble to remediate any issues.

Why is cybersecurity an evolving process?

The way to see cybersecurity is like an arms race. Bad actors develop tools, which grow more sophisticated with every passing year, and security personnel is forced to adapt and react to those tools.

It is a constant push-and-pull routine to just maintain overall security in an organization. Security comes with a series of caveats, like constant audits, compulsory compliance for sensitive industries, and the risk of legal action in the event of a severe failure.

Employment for security personnel has only gone up since the start of the pandemic, even during the hiring freezes and layoffs seen from massive tech giants like Meta, Amazon, and Twitter.

To top