If you were confused about what exactly was stolen in 2022’s LastPass breach – join the club. I think much of the confusion is stemming from the damage control LastPass is attempting to do around their massive data exposure that happened in August and was revealed to the public in December. We know that much of the info that was stolen was unencrypted – login names, email addresses, URLs, etc. and there was some debate as to whether or not the hackers stole encrypted data that contained actual passwords. I’ve had several folks tell me point blank that the passwords weren’t exposed and that LastPass is still safe. Well, guess what – we can put that misconception to bed now. LastPass has dropped another bombshell – one of their devs got hacked and the hackers used the dev’s compromised home computer to gain access to LastPass’s Amazon secure cloud storage to steal the encrypted password vaults of 30 million customers.
What this means for you
There’s a whole lot of gobbledy-gook in the LastPass release – it reads like technical explanations filtered through an army of lawyers and PR flacks (because it was), and beats around the bush on the most important part: LastPass is confirming that Hackers have exfiltrated everyone’s encrypted password vaults – and as I have been warning you about since I learned about this – it is only a matter of time before someone brute-forces their way into someone’s encrypted vault and is rewarded with the password trove within. And they have all the time in the world to do this, which means you have much less time to change any passwords that were stored in LastPass. Hackers will target high-value password vaults first – they will look for ones that have lots of bank account logins or other potentially lucrative access points, but you can bet they will put computers to grinding out every single vault, big or small – because they can, and they have the resources to make this investment pay off.
Stop reading. Go change your passwords.
Image by Gerd Altmann from Pixabay
Password storage utility LastPass reported earlier this week that they discovered suspicious activity on their servers and as a result, some of their users’ data has probably been compromised: account emails, password reminders and some of the decryption hashes and salts. According to LastPass, user password vaults were not compromised, nor does it appear that any user accounts were accessed. As a precautionary measure, LastPass has turned on a secondary email authentication confirmations for all LastPass logins from new IP addresses, and they are recommending enabling multifactor authentication – a good security practice for any sensitive account (like your email).
What this means for you:
LastPass uses a very strong encryption method to secure your data, and it would take some significant computing resources to crack their encryption from a brute-force perspective. However, if your LastPass master password was easily guessable, in theory they could use the stolen hash and salt to confirm that password, and attempt to gain access to your LastPass account. In short: change your LastPass master password, and if you used that password anywhere else, change it there as well.