A seemingly run-of-the-mill breach at LastPass in August produced one of last year’s most alarming security incidents. Downstream impacts mounted as the year came to a close, months after the password manager claimed the threat contained.
LastPass users and business customers should be on high alert and change all passwords immediately, following a subsequent breach that exposed password vault data, according to cybersecurity analysts and threat researchers.
Most of the data held by the password manager is now compromised after an unknown threat actor accessed and copied the company’s cloud-based storage vault. This includes encrypted passwords and usernames, and unencrypted data, such as the websites customers access via LastPass, email addresses, phone numbers and the IP addresses customers use to access the platform.
The unencrypted data provides an adversary the specific companies and URLs they could impersonate via phishing or social engineering campaigns to dupe users into sharing their master password.
“This is about as bad as it gets,” Chester Wisniewski, principal research scientist at Sophos, said via email. “Unless they accidentally were logging peoples’ master passwords, which is about the only thing that can make this worse.”
While LastPass CEO Karim Toubba maintains the encrypted fields and master passwords remain secured, cybersecurity professionals take issue with that claim and criticized the company for how it’s responded to the incident thus far.
“The way LastPass has handled this breach to date is a master class on how not to do things,” Katell Thielemann, VP analyst at Gartner, said via email.
“LastPass seems to be delaying communications, obfuscating the size and severity of the problem, and staying conspicuously silent about how they are dealing with the issue,” Thielemann said.
Analysts and researchers also pushed back on Toubba’s assertion that master passwords of at least 12 characters would take “millions of years” to guess using generally available tools.
“It is possible to crack those passwords,” Melissa Bischoping, director of endpoint security research at Tanium, said via email. “Instead of running the math to determine how complex your password would be to crack with modern equipment, it’s best to go ahead and do some credential hygiene.”
From a practical perspective, users should change their master passwords right away, and then change passwords for all sites and accounts stored in their vault, Jess Burn, senior analyst at Forrester, said via email.
Burn also encouraged business customers to consider going passwordless by applying a layered approach to workforce authentication with a native mobile authenticator with third-party verified digital certificates or single-factor biometrics.
“From a user perspective, this is really confusing," Thielemann said. "If I hear that I paid a vendor to secure my passwords and all my information is compromised but theirs isn’t, what did I really pay for?”
LastPass is used by more than 33 million registered users and more than 100,000 business customers.
“LastPass should be much more transparent about impact, risk and next steps,” Thielemann said. “This should be a priority candidate for a deep dive by the Cyber Safety Review Board led by the Cybersecurity and Infrastructure Security Agency.”