iThemes Security

The LastPass Security Breach: How to Protect Yourself

Let’s take a look at the LastPass security breach, what should have happened, and how you should proactively secure your online accounts. 

Dan Knauss

If you’re a LastPass user, like many of us in the WordPress community, you may be looking for an alternative password management solution today. After a massive security breach at LastPass, the company did not disclose soon — which has potentially put your data at risk — you should look into switching to Bitwarden or 1Password. Even better, start using passkeys when possible — they make passwordless logins the ultimate security solution. Finally, if you’re responsible for the security of others’ data or have a communication role, you can learn from LastPass’s mistakes — mainly what not to do. Let’s look at what happened, what should have happened, and how to proactively secure your online accounts.

What You Need to Know and Do About the LastPass Breach

LastPass Security Breach

Digging a Hole Deeper Won’t Get You Out

Unequivocally, LastPass assured customers their master passwords, data, and personal information were safe. We believed our critical account information was totally secure. Unfortunately, this wasn’t true at all.

In August 2022, LastPass CEO Karim Toubba posted the first in a series of alarming public disclosures. At first, it was not clear this was a deep and ongoing security breach. The initial disclosure said “an unauthorized party” partially accessed LastPass engineers’ development environment by exploiting “a single compromised developer account.” The intruder stole some source code and “proprietary LastPass technical information.” However, Toubba said there was no impact on the LastPass password management platform itself or its customers. Unequivocally, he assured LastPass customers their master passwords, data, and personal information were safe. We believed our critical account information was totally secure, untouched by intruders. 

Unfortunately, this wasn’t true at all. 

What Really Happened at LastPass

Starting in late November, Toubba made several more updates to LastPass’s initial disclosure. Zack Whittaker at TechCrunch helpfully parsed them to show what LastPass was not explaining. LastPass eventually admitted the attacker stole some customer data in a second breach. The attacker used “information obtained” in the earlier breach to enable the second breach. First, the attacker had targeted one LastPass developer and then another. The attacker was able to break deeper into LastPass’s systems in the second breach. LastPass’s parent company, GoTo, has a cloud storage platform the attacker compromised in the second breach. (GoTo also owns LogMeIn and GoToMyPC.) 

In a disturbing move, GoTo hid its own disclosure from search engines.

Zach-Whittaker-LastPass-tweet

Then, right before Christmas, Toubba updated the LastPass breach disclosure again. He confirmed the attackers stole a backup snapshot of encrypted LastPass customer password vaults. Toubba also acknowledged anyone with the snapshot could use brute force methods to crack the encrypted customer password vaults. Included in the breach were the names of LastPass customers, their company names and email addresses, their phone numbers and IP addresses, URLs, notes, form data, and some billing information. 

This is beyond bad.

Unbelievably, this “update” conveys no sense of appropriate urgency for a security breach of the magnitude LastPass has experienced.

The Impact of Bad Crisis Communication From LastPass

LastPass has not disclosed key facts like how many user accounts are in the stolen data. Consequently, we should assume all 25+ Million LastPass users (as of November 2022) are at risk due to these security breaches. Additionally, even former customers may be at risk now if the stolen backup files contain their old personal and password vault data.

A series of contradictory security disclosures is like a combination punch in the face of people who have placed their trust in you and your brand.

I have used LastPass for many years for access to other peoples’ passwords they’re sharing with me for work purposes. While I haven’t paid to use the service myself, I’ve had to keep an account with LastPass for this reason. I received the security breach notifications from LastPass by email like other customers, and I was immediately concerned.

I noticed the topic was discussed in Post Status Slack, a popular community forum for WordPress professionals. Robert Rowley, a Developer Advocate for Patchstack, shared the news there. He noted, “No master passwords or stored passwords were leaked. No action is needed.” Like millions of other Patchstack users, we all trusted what the company had told us, and we were wrong.

Later, others at Patchstack and in the WordPress community shared news of GoTo suppressing their own breach disclosure. In December, Rowley commented again, observing how far things had come from the initial statement we all believed. “No customer vaults were accessed.” Comparing the series of contradictory disclosures to getting punched, Rowley observed, “This can be seen as a left-right combo of loss of trust; every update makes the incident come out worse.”

Updates to the LastPass story…

January 2023: LastPass reveals other platforms belonging to its parent company were also compromised, and a US-based class action is formed on behalf of customers against LastPass.
February 2023: LastPass explains the breach came through an employee’s home computer and included a decrypted vault.
March 2023: LastPass reveals that a simple software update applied to that employee’s home computer at any time in the past three years would’ve prevented the biggest data breach in history — theirs.
September 2023: Security experts confirm that stolen LastPass vaults have been cracked, and private keys extracted from them are being used to steal tens of millions of dollars in cryptocurrency.
October 2023: In just one day, USD $4.4 million in cryptocurrencies is stolen from over two dozen people due to the LastPass hack.

What Should Have Happened at LastPass

Ultimately trust is not a technology or technical concept. It is about human relationships. Trust depends on how you treat people, especially those who have put their trust in you.

In the open-source community, we value transparency to a fault. Especially where security is concerned, we try to maintain and protect a culture of responsible disclosure. If we discover vulnerabilities in open-source software products, we quietly notify their owners and maintainers. We expect them to alert their users promptly and make a full disclosure as soon as they’ve patched any exploitable code.

We also expect disclosures to happen very quickly as a top priority. In this way, open-source community members try to help each other solve problems impacting everyone instead of covering them up, which happens frequently with proprietary software.

A similar ethic applies when malign individuals steal high-value and personal identification information (PII). While security breach notification laws vary in different states and countries, they all require timely disclosure to the affected people. It’s not a simple courtesy — it’s a legal and ethical obligation.

In Security, Trust is Everything

All security breaches can damage trust. They’re all bad situations that can only get worse when deepened by delay. Disclosing incorrect and incomplete information can be catastrophic for a company and brand as we’ve seen with LastPass.

Why should anyone trust a company that exhibits such irresponsible, self-concerned, and inevitably self-destructive behavior when it has failed its customers badly? Honesty, direct, and clear communication that focuses on mitigating harm to customers is the only possible way to make things better. 

Ultimately trust is not a technology or technical concept. It is about human relationships. Trust depends on how you treat people, especially those who have put their trust in you. We don’t always make good on our promises and failure is always possible. The only way forward that might renew trust when the worst happens is to admit what happened and lay it all out honestly.

How Should LastPass Users Respond to the Security Breach?

Given the way that LastPass has disclosed this breach, additional security measures on LastPass to protect your password vault won’t help. It’s time to start to first, migrate to a new password manager such as 1Password, Bitwarden, or NordPass, and second and most importantly start changing the passwords on critical sites and applications whose credentials you stored in your LastPass vault. Adding two-factor authentication to those sites would be a very wise move if you haven’t done so already.

The most important thing to do is to start changing all the passwords to all the user accounts you have stored in LastPass — immediately.

If you did not protect your vault with a very strong master password, eventually hackers will crack it. They will spread the stolen data across the dark web for years to come, and they will have all the time in the world to work through it.

It’s not a question of if your data will be decrypted. It is a matter of when. Because this breach happened five months prior to LastPass’s initial disclosure, malicious attackers already have a head start. It is critical to begin securing the credentials for any accounts you stored on LastPass. 

That’s why the next and most important thing to do is to start changing all the passwords to all the accounts you have stored in LastPass. Prioritize the most vital ones first — like financial accounts, site admin accounts, and others whose loss could cost you dearly.

It’s Time to Leave LastPass

Finally, we recommend closing your LastPass account and moving to another service like Bitwarden or 1Password. Bitwarden has a migration tool to import your LastPass account records. So does 1Password.

Another alternative is Bitwarden. An open-source tool, Bitwarden’s source code is available for review on Github.

It’s time to move off of LastPass. If you have the funds to spend on 1Password, it is a more robust alternative to many of the other password managers available. Their security setup also relies on a secret key to secure vaults. 1Password has been a choice of many security professionals, and it has great systems for sharing vault access for teams requiring access to numerous accounts. 

Another alternative is Bitwarden. An open-source tool, Bitwarden’s source code is available for review on Github. Security researchers frequently audit it. The paid account is only $10 per year, which makes supporting the project easy for people on a budget. You can also host your Bitwarden vault on your own should you wish to do so. 

An Opportunity to Rethink Your Own Security Practices

Even if you’re not a customer, the LastPass breach is a good opportunity to think about your own security policies. A major feature of password managers like LastPass is the ability to share access to online accounts with other people. The limitations of many online services and workplace needs drive us to share account access as a convenience. However, sharing accounts is, as a rule, a very bad security practice. Don’t give more than one person access to single-user social media accounts like Twitter! Use a multi-user social media manager app instead. Then you can allow any number of people to send out tweets without risking the loss of your primary account. And when those people leave or change roles, managing their access privileges will be much simpler.

As a rule, sharing account credentials is a very bad security practice.

Anyone you have given access to passwords shared in an app like LastPass may keep those passwords — forever. They may write them down. They may save them in their browser’s password manager for convenience.

People come and go in every team and organization. Proper security practice requires that you delete unused accounts and change passwords without delay. Do you practice this? How well do you do it? Have you made it as easy and clear as possible? Have you delegated this crucial responsibility to a specific person? Who checks on and audits your team’s access privileges? How often do they do it?

Think about your own worst-case scenarios. How would you handle communication about a breach that exposed your customer data? How can you work back to a proactive prevention strategy so this never happens?

No business is too small to ignore these crucial responsibilities. What can you do today to lower the risk of a catastrophic breach tomorrow?

Passkeys for the Win! The Future of Digital Security

This event underscores the problems with passwords. Password managers are attempting to support more complex passwords, and two-factor authentication has attempted to provide another layer of security. However, according to Verizon’s data security report, less than 30% of users actually use 2FA. Passwords are truly broken. Passkeys are the solution moving forward. 

A passkey is a type of authentication method that involves the use of a physical device, such as a key fob or a smart card, to verify the identity of a user. A computer or phone with increasingly common biometric login methods is a great way to authenticate your identity on a website. Passkeys are more secure than other authentication methods, like passwords, because they provide an additional layer of security.

With passkeys, you can bypass traditional, far less secure site logins.

If your computer is a known, trusted device with a passkey for your bank account (or WordPress site if you use Solid Security Pro), you can bypass traditional site logins. It’s enough for the website to recognize your device and possibly ask for a fingerprint through Touch ID on Apple devices or Windows Hello for Microsoft. 

True Peace of Mind is Passwordless

One advantage of passkeys is that they cannot be easily guessed or cracked as a password can. Passwords can be vulnerable to dictionary attacks, where a hacker tests a list of common passwords to try to gain access to an account. Passkeys, on the other hand, are typically unique and cannot be easily replicated, making them much more difficult to compromise.

Passkeys may soon make password managers like LastPass unnecessary.

Additionally, passkeys can be used with other authentication methods, such as a device password or biometric authentication, to provide an even higher level of security. This is known as multi-factor or two-factor authentication, which can greatly increase the difficulty for a hacker to gain access to an account.

Passkeys may soon make password managers like LastPass unnecessary. That will make the web safer, as big platform security breaches like LastPass experienced may become a thing of the past. If you run a WordPress or WooCommerce site, you can give yourself and your users the high security and unmatched convenience of passwordless logins with Solid Security Pro’s passkey feature

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite!

Get Solid Security

Did you like this article? Spread the word: