Over the past several weeks, news of a security breach at LastPass has gone from bad, to worse, to terrible.
LastPass develops a popular password manager app by the same name. News outlet BleepingComputer became aware in August 2022 that LastPass had suffered a security breach. Subsequent updates from LastPass have revealed new information as the company’s investigation of the breach has continued.
Following is a timeline of events, and everything we know so far about the LastPass security breach. We’ll also discuss how this impacts existing LastPass users, and whether it’s still safe to use LastPass.
In this article:
- Timeline of events
- What we know so far about the LastPass breach
- Is it still safe to use LastPass?
- What can current LastPass users do?
- How can I learn more?
Timeline of events
- early/mid-August 2022 – LastPass was hacked; BleepingComputer learns of breach from “insiders”
- August 21, 2022 – BleepingComputer contacts LastPass about the alleged breach, receives no reply
- August 25, 2022 – LastPass releases advisory, states hackers accessed “proprietary… technical information” via a compromised LastPass developer account; claims breach was contained
- November 30, 2022 – LastPass revises statement, says “certain elements of… customers’ information” had also been accessed
- December 22, 2022 – LastPass again revises statement, detailing that sensitive customer data had been accessed, along with backups of customer vaults containing both unencrypted and encrypted data
- December 26, 2022 – Wladimir Palant exposes misleading claims in LastPass’s December 22 statement
- December 28, 2022 – 1Password claims that most LastPass vaults could theoretically be cracked with merely $100 of computing power
- January 10, 2022 – Steve Gibson states that “many listeners” of his podcast had only 1 hashing iteration in their LastPass vaults
What we know so far about the LastPass breach
A tech news site, BleepingComputer, learned from “insiders” in mid-August 2022 that LastPass, a prominent password management company, had allegedly been breached. BleepingComputer contacted LastPass on August 21 but received no response.
On August 25, LastPass released its initial statement about the breach on the company’s blog. LastPass claimed that the breach was limited to their development environment, and that no customer information or users’ password vault data had been compromised. However, the company said that it had “engaged a leading cybersecurity and forensics firm,” and its investigation was ongoing.
Just over two months later, and about a week after the U.S. Thanksgiving holiday, LastPass released an updated statement about the breach on November 30. LastPass claimed that the company “recently detected unusual activity within a third-party cloud storage service” shared by LastPass and its affiliate GoTo. The company “engaged Mandiant, a leading security firm, and alerted law enforcement.” This order of events seems to suggest that by “recently detected,” LastPass was referring to the “unusual activity” that took place back in August. LastPass further stated that “certain elements of our customers’ information” had been accessed by an unauthorized party.
The plot thickens
Three weeks and a day after that, LastPass released yet another updated statement on December 22. This is where things start to get much more interesting.
Allegedly, the “source code and technical information” that an attacker had accessed in their development environment were “used to target another employee, obtaining credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service.”
At this point, LastPass admitted that the “certain elements” of customer information, to which the company had alluded in November, included “customer account information and related metadata” such as:
- end-user names (presumably meaning users’ real, full names)
- company names
- billing addresses
- email addresses
- telephone numbers
- the IP addresses from which customers were accessing the LastPass service
Such a customer data breach is pretty significant. This information could easily be used by an attacker to phish LastPass users and trick them into revealing their data vault password.
But the loss of customers’ personally identifiable information wasn’t necessarily the most troubling problem.
“The threat actor was also able to copy a backup of customer vault data,” LastPass continued. In the company’s proprietary data format, vault data includes “both unencrypted data, such as website URLs,” and encrypted fields, “such as website usernames and passwords, secure notes, and form-filled data.”
So the attacker can not only easily phish victims for their LastPass vault password, but they can also see every site for which the victim has stored a password, and phish victims for those individual site usernames and passwords as well.
Third-party experts (and competitors) weigh in
Wladimir Palant, a security researcher best known as the original developer of Adblock Plus, has also developed a free password manager of his own: PfP: Pain-free Passwords. Palant had a lot to say about LastPass’s statements, alleging that they were “full of omissions, half-truths and outright lies.” He goes into a lot of technical detail that we won’t repeat here. But one interesting observation is that LastPass’s implementation of a password-strengthening algorithm is no longer considered strong by OWASP standards (and hasn’t been since mid-March 2021, I discovered; this seems to be based on FIPS 140-3, U.S. government standards last updated in March 2019).
But worse yet, many LastPass users’ vaults are still using horribly outdated implementations. To give a sense of scale without getting too technical, 310,000 hashing iterations is the current standard; newly created LastPass vaults since sometime in 2018 have used 100,100 iterations; but Palant learned that 5,000 and even 500 iterations are used by old LastPass vaults that were never upgraded since 2018. Palant is even aware of “one confirmed case” of a vault using only 1 single iteration.
In other words, many longtime LastPass users’ vaults could easily have been cracked by now.
That sentiment is shared by another LastPass competitor, 1Password (which admits that it still uses 100,000 hashing iterations, negligibly fewer than LastPass). In a blog post on December 26, 1Password alleged that only $100 or less of rented computing power would be sufficient to crack the master password of many LastPass vaults that use 100,100 iterations. (1Password offered reasons why it believed its password manager was nevertheless safer than LastPass.)
*Update: On this week’s Security Now podcast, host Steve Gibson had similar thoughts to those shared by LastPass’s competitors. First, Gibson said that “many listeners” had reported that their vaults used only 1 single hashing iteration—which confirms one of Palant’s claims. Second, Gibson had thoughts similar to 1Password’s allegations about cracking LastPass vault passwords, although Gibson’s focus was on the speed of cracking using personally owned equipment, rather than the cost of renting servers. Gibson posited that a threat actor could “crack a 100,100 iteration PBKDF2-protected password” with a strong password in roughly 71 days, using what he believed to be a plausible cracking rig. Given that same scenario, that same strong password could be cracked in about 62 seconds, for those whose LastPass vaults used only 1 hashing iteration. (You can watch or listen to the episode, or see pages 5–6 of his show notes PDF.)
This is a far cry from the “millions of years” that LastPass’s blog post claims it would take to break into a LastPass vault.
Is it still safe to use LastPass?
What can current LastPass users do?
At this point, LastPass users should assume that any password or other information stored within their LastPass account may have been accessed by an attacker. Thus:
- LastPass users should immediately begin the process of migrating to a different password manager.
- After migrating to a new password manager, former LastPass users should change their passwords for all services that had been stored in their LastPass vault.
Of course, LastPass would have you believe that such action isn’t necessary. But after reading the information above, you can decide for yourself.
Choosing a new password manager can be challenging; it’s difficult to know for sure whether similar incidents could happen with many LastPass competitors. We recommend choosing a password manager that has a strong reputation. If you just need to store passwords and don’t use a password manager for storing other information, Apple’s iCloud Keychain may be a good, free option for anyone who already uses Apple devices. If you need a password manager with more features, check out a few of the options listed in our article, How to Choose the Right Password Manager for You.
Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.
You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: