Lastpass, one of the most popular password manager providers suffered a data breach that exposed data for their 33 million customers. A scary amount of data!
To date, we have determined that once the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.LastPass Press Statement
The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.
So essentially the hackers were able to access ALL the customer data. As much as most of it is still encrypted, the data that is not which they highlighted as URLs is still pretty valuable data. It essentially shows the hackers all the websites that you access using LastPass and if the websites are interesting enough they can make you a target.
Every LastPass user is at risk and they are silent
At the moment the ONLY thing stopping the hackers from decrypting a LastPass customer’s data is the customer’s master password which is used to generate the encryption key for that particular account. This master password is one you use to access your LastPass account. And if your password is one of those weak ones then you are at the highest risk of getting hacked. LastPass is also handling this in a very shady manner. Their press release was only published on their blog and they quote that they only notified less than 3% of their users who happen to be their business clients even though the hack affected all their customers.
We have already notified a small subset (less than 3%) of our Business customers to recommend that they take certain actions based on their specific account configurations. If you are a Business customer and you have not already been contacted to take action, then there are no other recommended actions for you to take at this time.LastPass Press Statement
So after telling everyone that these hackers have EVERYTHING and that the only form of safety left is the user’s master password, they say that if they didn’t contact you then relax. You are fine. This is the worst advice they can give to their customers. It is in stark contrast to the way Google handled its data breach which up to today still advises all Google Password Manager users to update passwords for any website that still uses a password from a time before the data breach. Why LastPass only advised less than 3% of their users and kept it hush-hush for the other 97%+ makes it look like they are trying to save face by keeping quiet and only informing clients that can make the most noise for them giving them bad press.
What then is the best way to manage my heaps of passwords?
There are plenty of ways to manage passwords. And I will list them here so you can pick which ones work best for you.
Continue using LastPass
A majority of LastPass users are definitely going to stay with it for a couple of reasons. Maybe because it is a familiar platform and they do not want to invest time and energy into learning a new one, or they still have an active subscription holding them hostage. It’s still fine.
These people can still continue using LastPass but they cannot avoid the painstaking task of updating every password in their LastPass as well as the master password of their LastPass account to something strong, and random with at least 12 characters. This needs to be done immediately.
The hackers copied data so if you update your details then whatever they took will be old data that no longer works to access/decrypt your information.
Use a different password manager
You may actually not need to download or subscribe to a 3rd party password manager. Most platforms come with built-in password managers. Google comes with one built into Android smartphones and the Chrome browser on PC. All the passwords are saved in your Gmail account. In the Apple ecosystem, you have the option of iCloud as your password manager and if you wish to take this service to the cloud you can also activate iCloud Keychain.
Mobile devices like smartphones also have built-in password managers for apps that store passwords on-device or on the cloud. In the Android world, you have Google’s solution that saves passwords to your Gmail account. There is also a first-party option that saves the passwords in a password vault provided by the device manufacturer. A bit of a benefit with these methods is they come with an additional security layer of biometric authentication via fingerprint or 3D face recognition. These can be slightly more secure than PC options.
You can also use 3rd party password managers which are in direct competition with LastPass. They will definitely see the LastPass hack as an opportunity to make their solutions more secure for their customers. One such app is 1Password.
Setup 2-Factor Authentication
2-Factor authentication is a security measure that requires an additional verification step when logging in on top of the user name and password combination. The most common forms of it are a code sent via SMS or call. It gives any potential hacker a second barrier to entry because they will need to have physical access to your device so they can access this code. Moreover, the code expires after a few minutes and once this happens a new one will be required.
Whether you use a password manager or not, you need to activate 2-Factor authentication, especially on your email that is used to sign into social media accounts, bank accounts, apps, and other important websites.
The best way to not get hacked is to not be on the internet. So these methods will not keep you 100% safe from hackers. However, they definitely will make it many times harder for them to succeed which is the next best option.