LastPass data breach: It’s time to ditch this password manager
You’ve heard it again and again: You need to use a password manager to generate strong, unique passwords and keep track of them for you. And if you finally took the plunge with a free and mainstream option, especially in the 2010s, it was probably LastPass. For the security service’s 25.6 million users, however, the company made a worrying announcement on December 22: A security incident the firm had previously reported (November 30) was actually a massive and concerning data breach that exposed encrypted password vaults — the crown jewels of any password manager — along with other user data.
The details LastPass provided about the situation a week ago were worrying enough that security experts quickly began asking users to switch to other services. Now, nearly a week since the disclosure, the company has not provided further information to confused and concerned customers. LastPass did not return WIRED’s multiple requests for comment on how many password vaults were compromised in the breach and how many users were affected.
The company has not even clarified when the breach occurred. It appears to have been sometime after August 2022, but the timing is significant, because a big question is how long it will take attackers to start “cracking” or guessing the keys used to encrypt the stolen password vaults. If attackers had three or four months with the stolen data, the situation is even more urgent for affected LastPass users than if hackers only had a few weeks. The company also did not respond to WIRED’s questions about what it calls “a proprietary binary format” it uses to store encrypted and unencrypted vault data. To characterize the scope of the situation, the company said in its announcement that hackers were “able to copy a backup copy of customer vault data from the encrypted storage container.”
“In my opinion, they do a world-class job of detecting incidents and a really, really terrible job of preventing problems and responding transparently,” says Evan Johnson, a security engineer who worked at LastPass more than seven years ago. “I will either look for new options or see a renewed focus on building trust over the next few months from their new management team.”
The breach also included other customer data, including names, email addresses, phone numbers and some billing information. And LastPass has long been criticized for storing its vault data in a hybrid format where items like passwords are encrypted, but other information, like URLs, are not. In this situation, the plaintext URLs in a vault can give attackers an idea of what’s inside and help them prioritize which vaults to work on cracking first. The vaults, which are protected by a user-selected master password, pose a particular problem for users looking to protect themselves in the wake of the breach, because changing the primary password now with LastPass will do nothing to protect the vault data that has already been stolen.
Or, as Johnson puts it, “with Vault restored, the people who hacked LastPass have unlimited time for offline attacks by guessing passwords and trying to recover specific users’ master keys.”