What You Need to Know and Do About the LastPass Breach
If you’re a LastPass user, like many of us in the WordPress community, you may be looking for an alternative password management solution today. After a massive security breach at LastPass the company did not disclose in a timely manner — which has put potentially your data at risk — you should look into switching to Bitwarden or 1Password. Even better, start using passkeys when possible — they make passwordless logins the ultimate security solution. Finally, if you’re responsible for the security of others’ data or if you have a communication role, you can learn from LastPass’s mistakes — mainly what not to do. Let’s take a look at what happened, what should have happened, and how you should proactively secure your online accounts.
Digging a Hole Deeper Won’t Get You Out
In August 2022, LastPass CEO Karim Toubba posted the first of what would become a series of increasingly serious public disclosures about a deep and ongoing security breach. The initial disclosure said “an unauthorized party” partially accessed LastPass engineers’ development environment by exploiting “a single compromised developer account.” The intruder stole some source code and “proprietary LastPass technical information.” However, Toubba said there was no impact on the LastPass password management platform itself or its customers. Unequivocally, he assured LastPass customers their master passwords, data, and personal information were safe. We believed our critical account information was totally secure, untouched by intruders.
Unfortunately, this wasn’t true at all.
What Really Happened at LastPass
Starting in late November, Toubba made several more updates to LastPass’s disclosure that Zack Whittaker at TechCrunch helpfully parsed to show what LastPass was not explaining. LastPass eventually made it clear the attacker stole some customer data in a second breach enabled by “information obtained” in the earlier breach. First, the attacker had targeted one LastPass developer and then another to break deeper into LastPass’s systems, including the cloud storage of LastPass’s parent company, GoTo. (GoTo also owns LogMeIn and GoToMyPC.)
In a disturbing move, GoTo hid its own disclosure from search engines.
Then, right before Christmas, Toubba updated the LastPass breach disclosure again. He confirmed the attackers stole a backup snapshot of encrypted LastPass customer password vaults. Toubba also acknowledged anyone with the snapshot could use brute force methods to crack the encrypted customer password vaults. Included in the breach were the names of LastPass customers, their company names and email addresses, their phone numbers and IP addresses, URLs, notes, form data, and some billing information.
This is beyond bad.
The Impact of Bad Crisis Communication From LastPass
LastPass has not disclosed key facts like how many user accounts are in the stolen data. Consequently, we should assume all 25+ Million LastPass users (as of November 2022) are at risk due to these security breaches. Additionally, even former customers may be at risk now if the stolen backup files contain their old personal and password vault data.
I have used LastPass for many years for access to other peoples’ passwords they’re sharing with me for work purposes. While I haven’t paid to use the service myself, I’ve had to keep an account with LastPass for this reason. I received the security breach notifications from LastPass by email like other customers, and I was immediately concerned. I noticed the topic came up for discussion in Post Status Slack, a popular community forum for WordPress professionals. Robert Rowley, a Developer Advocate for Patchstack, shared the news there. He noted, “No master passwords or stored passwords were leaked. No action is needed.” Like millions of other Patchstack users, we all trusted what the company had told us, and we were wrong.
Later, others at Patchstack and in the WordPress community shared news of GoTo suppressing their own breach disclosure. In December, Rowley commented again, observing how far things had come from the initial statement we all believed. “No customer vaults were accessed.” Comparing the series of contradictory disclosures to getting punched, Rowley observed, “This can be seen as a left-right combo of loss of trust, every update makes the incident come out worse.”
Updates to the LastPass story…
• It’s still getting worse in late January 2023.
• At the end of February 2023, has the bad news from LastPass finally hit bottom?
• March 2023: It turns out a simple software update applied any time in the past three years would’ve prevented the LastPass hack. Always run your WordPress updates!
What Should Have Happened at LastPass
In the open-source community, we value transparency to a fault. Especially where security is concerned, we try to maintain and protect a culture of responsible disclosure. If we discover vulnerabilities in open-source software products, we quietly notify their owners and maintainers. We expect them to alert their users promptly and make a full disclosure as soon as they’ve patched any exploitable code. We expect that to happen very quickly, as a top priority. In this way, open-source community members try to help each other solve problems impacting everyone instead of covering them up, which happens frequently with proprietary software.
A similar ethic applies when malign individuals steal high-value and personal identification information (PII). While security breach notification laws vary in different states and countries, they all require timely disclosure to the affected people. It’s not a simple courtesy — it’s a legal and ethical obligation.
In Security, Trust is Everything
All security breaches can damage trust. They’re all bad situations that can only get worse when deepened by delay. Disclosing incorrect and incomplete information can be catastrophic for a company and brand as we’ve seen with LastPass.
Why should anyone trust a company that exhibits such irresponsible, self-concerned, and inevitably self-destructive behavior when it has failed its customers badly? Honesty, direct, and clear communication that focuses on mitigating harm to customers is the only possible way to make things better.
Ultimately trust is not a technology or technical concept. It is about human relationships. Trust depends on how you treat people, especially those who have put their trust in you. We don’t always make good on our promises and failure is always possible. The only way forward that might renew trust when the worst happens is to admit what happened and lay it all out honestly.
How Should LastPass Users Respond to the Security Breach?
Given the way that LastPass has disclosed this breach, additional security measures on LastPass to protect your password vault won’t help. It’s time to start to first, migrate to a new password manager such as 1Password, Bitwarden, or NordPass, and second and most importantly start changing the passwords on critical sites and applications whose credentials you stored in your LastPass vault. Adding two-factor authentication to those sites would be a very wise move if you haven’t done so already.
If your vault was not protected by a strong master password, all of your online accounts will eventually be compromised. Even if you did have a strong master password, it could still be cracked by brute force.
It’s not a question of if your data will be decrypted, it is a matter of when. Given that this breach happened five months prior to LastPass’s disclosure that customer vaults were impacted, malicious attackers already have a head start. As such, it is critical to begin securing the credentials for any accounts you stored on LastPass.
That’s why the next and most important thing to do is to start changing all the passwords to all the accounts you have stored in LastPass. Prioritize the most vital ones first — like financial accounts, site admin accounts, and others whose loss could cost you dearly.
It’s Time to Leave LastPass
Finally, we recommend closing your LastPass account and moving to another service like Bitwarden or 1Password. Bitwarden has a migration tool to import your LastPass account records. So does 1Password.
It’s time to move off of LastPass. If you have the funds to spend on 1Password, it is a more robust alternative to many of the other password managers available. Their security setup also relies on a secret key to secure vaults. 1Password has been a choice of many security professionals, and it has great systems for sharing vault access for teams requiring access to numerous accounts.
Another alternative is Bitwarden. An open-source tool, Bitwarden’s source code is available for review on Github where it is frequently audited by security researchers. The paid account is only $10 per year, which makes supporting the project easy for people on a budget. You can also host your Bitwarden vault on your own should you wish to do so.
An Opportunity to Rethink Your Own Security Practices
Even if you’re not a customer, the LastPass breach is a good opportunity to think about your own security policies. A major feature of password managers like LastPass is the ability to share access to online accounts with other people. The limitations of many online services and workplace needs drive us to share account access as a convenience. However, sharing accounts is, as a rule, a very bad security practice. Don’t give more than one person access to single-user social media accounts like Twitter! Use a multi-user social media manager app instead. Then you can allow any number of people to send out tweets without risking the loss of your primary account. And when those people leave or change roles, managing their access privileges will be much simpler.
Anyone you have given access to passwords shared in an app like LastPass may keep those passwords — forever. They may write them down. They may save them in their browser’s password manager for convenience. People come and go in every team and organization. Proper security practice requires that you delete unused accounts and change passwords without delay. Do you practice this? How well do you do it? Have you made it as easy and clear as possible? Have you delegated this crucial responsibility to a specific person? Who checks on and audits your team’s access privileges? How often do they do it?
Think about your own worst-case scenarios. How would you handle communication about a breach that exposed your customer data? How can you work back to a proactive prevention strategy so this never happens?
No business is too small to ignore these crucial responsibilities. What can you do today to lower the risk of a catastrophic breach tomorrow?
Passkeys for the Win! The Future of Digital Security
This event underscores the problems with passwords. Password managers are attempting to support more complex passwords, and two-factor authentication has attempted to provide another layer of security. However, according to Verizon’s data security report, less than 30% of users actually use 2FA. Passwords are truly broken. Passkeys are the solution moving forward.
A passkey is a type of authentication method that involves the use of a physical device, such as a key fob or a smart card, to verify the identity of a user. A computer or phone with increasingly common biometric login methods can also be used to authenticate your identity on a website. Passkeys are considered to be more secure than other authentication methods, like passwords, because they provide an additional layer of security.
If your computer is a known, trusted device with a passkey for your bank account (or WordPress site if you use iThemes Security Pro) you can bypass traditional site logins. It’s enough for the website to recognize your device and possibly ask for a fingerprint through Touch ID on Apple devices or Windows Hello for Microsoft.
True Peace of Mind is Passwordless
One advantage of passkeys is that they cannot be easily guessed or cracked as a password can. Passwords can be vulnerable to dictionary attacks, where a hacker tests a list of common passwords to try to gain access to an account. Passkeys, on the other hand, are typically unique and cannot be easily replicated, making them much more difficult to compromise.
Additionally, passkeys can be used in conjunction with other authentication methods, such as a device password or biometric authentication, to provide an even higher level of security. This is known as multi-factor authentication, and it can greatly increase the difficulty for a hacker to gain access to an account.
Passkeys may soon make password managers like LastPass unnecessary. That will make the web safer, as big platform security breaches like LastPass experienced may become a thing of the past. If you run a WordPress or WooCommerce site, you can give yourself and your users the high security and unmatched convenience of passwordless logins with iThemes Pro’s passkey feature.
A Live Interactive Online Training Course
January 10, 2023 @ 1:00 p.m. (Central)
In this webinar, we’ll discuss the recent LastPass breach and what we can learn about this when protecting our digital lives (including our WordPress sites), and we’ll also evaluate the current state of passwords, password managers, two factor authentication and more so that we can move into 2023 safe.
We’ll also talk about the solution to put passwords behind us with passkeys and the state of implementation of WebAuthn both by tech giants as well as iThemes Security.
Dan Knauss is StellarWP’s Technical Content Generalist. He’s been a writer, teacher, and freelancer working in open source since the late 1990s and with WordPress since 2004.