2022-12-29

The big LastPass data breach and what to do about it

You may not want to spend time reading such a long post as this and carrying out the actions suggested below, but if you're a LastPass user this breach is a big deal and deserves your full attention.  At the very least I suggest reading this post in its entirety so that you can decide what and how bad your risks are, and how much effort they are worth to mitigate.

What happened?

If you're a LastPass user, you'll want to be aware of a (recent?) major data breach that occurred sometime in the last four months, in which (probably all) customer vault data was stolen.  This is one of a (large and increasing) number of analyses of the breach available:

Note especially that the data breach contained not only your end-to-end encrypted (E2EE) vault (with user ids, passwords, and notes for all the entries) -- as you'd expect from any password manager breach -- but also a lot of unencrypted information for each user: 
  • company name
  • end-user name
  • billing address
  • email address (you probably want to assume that this is both the main email id and, if set up, the security email id)
  • telephone number
  • the number of iterations for PBKDF2 
  • the IP addresses from which the user has accessed the LastPass service (you probably want to assume that this is not only the last access but also history, for an unknown period of time)
  • the full URL stored in every entry in the vault

The last two items above, and especially the last one, present special security and privacy risks.

You might want to also read the (very thin) LastPass notice itself:

LastPass hasn't stated how many customers were affected, so it's best to assume that it's "all", or at least that you have been affected.  But note that, according to this notice, if you are a Business customer that has implemented LastPass Federated Login Services, you are not affected by this breach.

Maybe you use the LastPass Authenticator, a TOTP 2FA app/service?  LastPass didn't mention it in the notice, but you might choose to assume that the TOTP seeds were also part of the breach. Since LastPass hasn't mentioned the seeds in the context of the breach, one might reasonably assume that they were end-to-end encrypted.

What are the risks?

Before we get to what you can do, it's important to understand that as a LastPass user your vault is now out in the wild (and whether your LastPass account had 2FA enabled at the time of the breach makes no difference.)  Attackers will go to work to try to crack the data, and, depending on how strong your master password (MP) was at the time of the breach, your breached vault will be decrypted soon, later, or never.  And, separately, attackers now have a list of all the accounts in your vault, via the unencrypted URLs.  And they also have the other personal information listed above.

Nothing you do now can change this.  In particular, changing your current MP now or deleting your LastPass account now won't make any difference to the data that's already there.  But there are still many actions you can take to mitigate the resulting risks, including changing weak or reused passwords on clouds accounts listed in your vault.

The risks that you face right now stem from at least these sources:
  • the LastPass breach itself,
  • weaknesses in your use of LastPass,
  • weaknesses in your use of cloud accounts and the Internet in general, and
  • weaknesses in LastPass's security and privacy.

What to do?

Based on the information released by LastPass and on others' analyses, and making some assumptions/guesses, this is my rough view on some mitigation actions you can take beginning right away.  The order of these actions could be debated, but this will give you a good place to start from.  Ideally, though, you'd want to read some other analyses too, to help you decide what and how bad your risks are, and how much effort they are worth to mitigate.

Be (even more) on the lookout for phishing attempts, since attackers now have a list of all your accounts; ensure you fully understand how phishing works and how you can reduce your risk; and become more cybersecurity aware and knowledgeable generally 

If the MP on your account (which is the one on your current vault) is weak (or reused), you're at an ongoing risk of attack from the Internet, so:

change your MP to a strong one (and don't use for it any password you've ever used before)

If you don't have 2FA on your LastPass account, you're again at an ongoing risk of attack from the Internet, so

turn on 2FA in your account; a good option for most people is TOTP 2FA, such as Authy -- LastPass Authenticator is not a good option  :)

If the MP on your breached vault was weak (or reused), your breached vault might be decrypted by an attacker, so:

for every important account in your breached vault that has a weak or reused password and either doesn't have 2FA enabled or (if you think the seeds might have been stolen) uses LastPass Authenticator:

change those passwords to strong and unique ones

(To find weak or reused passwords, use the Security Dashboard tool from inside your LastPass vault.  This of course searches only your current vault, not your breached vault.)  

Because all the URLs in your vault were included in the breach, for every important account in your breached vault -- unless you've deleted the account since the breach -- review the URL: it might contain something it shouldn't, like a token or password.  If it does, you might want to change the password on the account.  You can't know what exactly was in your vault at the time of the breach, so the best you can do is review your current vault.  (Added 2023-01-03)

For every important account in your current vault (which attackers now have a list of from your breached vault) that has a weak or reused password, an attacker might be able to figure out the password, so:

change those passwords to strong and unique ones

Note that 2FA does provide additional protection but never rely on it to save you from a weak password

If you use LastPass Authenticator (and if you think the seeds might also have been stolen), switch all important accounts using it to a new authenticator app/service, such as Authy, Google Authenticator, or Microsoft Authenticator

Do not choose the authenticator built into your future new password manager (see below), because you want defense in depth

Turn on 2FA for all your accounts that support it, using your new authenticator app/service

Register all your email addresses with the Have I Been Pwned service; it will notify you if any of those addresses is part of a future data breach. 

Have I Been Pwned: Check if your email has been compromised in a data breach

Switch to a new password manager, such as Bitwarden (free/paid) or 1Password (paid)

(Note that there's no particular urgency to move off LastPass, as long as you've completed the actions above.)

N.B. The LastPass breach does not mean that password managers, or even cloud-based password manages, are a bad idea: properly used, they are the best mix of security and convenience for managing your ever-growing set of account credentials. (Passwords themselves, though, are inherently insecure but a much better replacement is slowing being introduced, viz. Passkeys.) Yes, Bitwarden and 1Password could be hacked just as happened with LastPass. Your protection – for LastPass, Bitwarden, 1Password, and any other Zero Knowledge / end-to-end encrypted (E2EE) service -- is a strong master password. 

Don't use your LastPass MP -- either the current one or the one on your breached vault --- for your new password manager!  You need to choose a new MP.

Bitwarden and 1Password are highly regarded, are likely better at disclosure of security and privacy breaches, appear to have better security (including internal processes) and encryption, encrypt the URLs in the vault, and have regular third-party audits done.  1Password has a stronger encryption key scheme, viz. its Secret Key.  Bitwarden is open source.

1Password's Secret Key can be thought of as some random characters -- roughly 6 -- added behind the scenes to your master password.  This provides some additional protection for server-side breaches such as the one that happened to LastPass.

The process is relatively simple: export your LastPass vault then import that data into your new password manager.  File attachments don't export with the vault so need to be separately dealt with.  

When you're certain that you've moved all your vault data over, delete your LastPass account.  If you use LastPass Authenticator, switch all remaining accounts using it to your new authenticator app/service before deleting the account.

For every account in your new password manager vault that has a weak or reused password (at this point only less important accounts should remain), unless it's truly unimportant:

change those passwords to strong and unique ones

What's weak vs. strong?

It's complicated!  You could do some reading starting from this Google search:

"strong password" "weak password" "entropy" - Google Search

Weak and strong are not black and white, and there are many different views on the subject, but you could start with these very, very, very rough ideas -- just my guesses -- about whether a password is "weak" or "strong".  There are of course many possible caveats, special cases, and exceptions.  Tweak these ideas as you see fit.

For regular cloud account passwords, weak could mean, at a bare minimum:

the password looks reasonably random (and with at least 3 of lower case, upper case, digits, and symbols) but is less than 12 characters long, or

the password does not look reasonably random and is less than 15 characters long

For your password manager MP, which is protecting information of higher sensitivity than your other cloud accounts, weak could mean, at a bare minimum:

the password looks reasonably random (and with at least 3 of lower case, upper case, digits, and symbols) but is less than 17 characters long, or

the password does not look reasonably random and is less than 20 characters long

How to create a strong password or MP? 

The above is for the case where you are evaluating the strength of an existing password in order to decide whether to change it.  But when you are creating a new password, you probably want it to be much stronger than the above:

For regular cloud accounts, simply use the password generator built into your password manager: have it generate a random password using all 4 of lower case, upper case, digits, and symbols, and of length, say, 30 characters.  Choosing a randomly-generated password of that length essentially guarantees that it is unique, i.e., not reused.

For your new password manager MP, you need something strong enough but also very memorable, which can be a challenge. Here is my favorite algorithm: make up a long story you won't forget (maybe something that happened to you, that you did, that you want to do, etc.), add some punctuation, take the first letter of each word, and do some substitutions of several of those letters into digits and symbols.  This should give you a MP that is long and looks reasonably random, but which you won't forget (after a bit of practice).  I suggest 20 characters as a bare minimum, but more is better, and the more random it looks, the better too.  Try to use uncommon letters and uncommon symbols, e.g., not punctuation.

(This algorithm is derived from: Essays: Passwords Are Not Broken, but How We Choose them Sure Is - Schneier on Security, 2008)

Misc. Notes

There's a nice timeline of the breach here: LastPass Hacked – What Now? - Security Boulevard