Are you aware of the recent LastPass security incident? That your password “vault” may have been in the hand of attackers? Have you seen some of the news but aren’t quite clear on what it all means, or importantly, what you should do now? Are you looking for some clear advice? Read on.
If you’re reading this article, I’m sure you’re aware of the recent LastPass data breach. In addition to the information publicly released around this incident from LastPass themselves, there is some really good additional information available based on analysis from a number of security experts, many of whom have a detailed understanding of encryption, as well as the specific architecture and process is used by LastPass. A number of these security professionals have also conducted their own testing and documented their findings.
A lot of this information is very technical in nature. This article seeks to utilise the information available to provide concerned LastPass customers with some practical, balanced guidance on what you can do to minimise the risks associated with this incident. If you want to understand the finer detail around what feeds into this advice, I’ll reference and credit the relevant sources at the end of this article.
The purpose of this article is not to pass comment or judgement on the LastPass product, processes or how they have dealt with the incident, or to recommend alternative products which may or may not be better (there’s always multiple factors to consider here). The over-riding aim is to clearly present the potential risks associated with this incident and to provide you with some easy-to-follow advice on how to analyse your level of risk, and sensible next steps to take.
So firstly, let’s recap briefly what’s happened, as per the information released by LastPass:
You can read all of the communications from LastPass outlined above in the LastPass blog, here:
https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/
Based on reviewing and interpreting all of that, along with detailed analysis from other sources, here’s a few key things to know.
As with most security tools, the overall level of security they provide is a combination of the tool itself, and the decision you make. If anything demonstrates that point, this incident does. The level of risk therefore is different for each LastPass user.
The key questions you need to consider are (answer these as of August, i.e. the point the data was obtained):
The questions above all have a bearing on how long it might take to obtain your Master Password (using various different methods) and use it to decrypt your data.
Then you need to consider the data itself stored within your vault. This is mainly sites/apps along with their usernames and passwords, but could also include bank account and card details, notes, PIN numbers, names, addresses, personal/sensitive information that you stored in LastPass to “keep safe”. Key questions here are:
As you can see, there a number of questions to ask yourself which will help determine how at risk you are. This list is not exhaustive. You can probably determine largely how these fit together. For example:
If your Master Password is the same as you use on other sites, and is weak, and you don’t have MFA on your Gmail account (with the password stored in LastPass) – HIGH RISK
Strong, unique Master Password, no weak of reused passwords in the vault, MFA setup on anything containing important data – LOWER RISK
You get the idea, but there are a lot of inter-relating factors to consider.
So, this is the piece that you’re probably here for – what do I need to do and in what order – what are the priorities?
This will vary depending on your risk, so I’ve tried to create a list which helps you both assess the risk and act accordingly. I’m not going to attempt to explain in detail the rationale behind the order, but if enough people are interested, I may do a follow up video to explain it.
Here’s the process.
Note that this process has been written specifically for stored passwords. For other items such as secure notes, follow the same priority order depending on what information was contained in the notes. If you stored bank card information such as PIN numbers or CVV codes, particularly if you did not have a strong Master Password, it would be wise to change PIN’s or order new cards (in the case of CVV codes).
The following people and articles were most helpful in putting this article together, through either direct assistance/review or just posting/sharing their knowledge which was useful for researching, and I would like to thank them all.
Daniel Card Greg Ford The CyberScale team https://palant.info/2022/12/26/whats-in-a-pr-statement-lastpass-breach-explained/ https://infosec.exchange/@epixoip/109585049354200263
Click to Open Code Editor