The Last Pass Breach - How Worried Should You Be and What Steps Should Be Taken NOW

You’ve no doubt heard the news by now that Lastpass, the secure password management and storage system suffered a breach. This is certainly unsettling news for those of us who take password management seriously and have gone through the effort of getting all our passwords into a management system.

There are lots of folks on social media recently, many of them saying that “You must throw out Lastpass now”. However, I don’t think it’s quite as easy as that to determine the right course of action in this situation. As with many incidents like this, you really do need to understand what’s known about the breach and understand a bit of the technical details so that you intelligently assess the risks and make your own decision.

So, a few of the technical details of this incident, based on what we know from the information Lastpass has released.

First, the breach appears to have started when a Lastpass employee fell for a phishing attack which exposed that person’s internal credentials. Using the credentials, the attackers were able to gain access to both the development environment for the Lastpass application as well as some of the backup locations for our “vaults” of password data. Some number of the backup vaults were stolen as part of the breach.

Now, here’s where we have to understand the technical details just a bit. The “vault” that stores our passwords inside the Lastpass systems is encrypted using AES-256 encryption, which is about the best there is at this point. So if I think about my vault inside Lastpass, think of it as a container or “blob” of data that has all my URL’s, usernames, passwords, secure notes and anything else I’ve stored with Lastpass inside it. Most of the data in that blob are encrypted. Some items however, are not, such as the URL’s themselves. So if you were to take a look at the contents of my vault, you would be able to see a URL for let’s say www.americanexpress.com in plain text, but my username and password for that site are encrypted.

The only key to decrypt my vault is my Lastpass Master Password, and that password has never been inside the Lastpass environment, it is only present on my local machine when I first type it in to log into Lastpass. Once I’ve typed in my master password, my “blob” of data is opened on my local computer, phone, table, etc., and now I can auto-fill the website with my credentials.

So what do the bad guys have their hands on? An encrypted blob of data but NOT the key needed to decrypt that blob.

Now, that’s still bad. But let’s go back to my americanexpress.com account for a minute. If today, I go to that site and use Lastpass to change my password there, the password that is stored in the encrypted blob that the bad guys have is no longer valid even if they somehow manage to decrypt that data.

I’m not recommending you throw out your Lastpass account and move to some other password manager, instead I’m applauding you for using a password management tool and just recommending you go right now and start changing passwords. And while you’re at it, make sure your Master Password is long and complex, and one final security measure, turn on 2 Factor Authentication at least on your Lastpass account. (I recommend turning it on for EVERY account that supports it but at least do it for your Lastpass account.)

This incident once again underscores the importance of having good password management built into your daily habits. There’s no better defense at this point than to use a good password management tool so that you can generate random passwords for all of your websites and accounts you need to store, and using 2FA on as many of those accounts as you can adds another nearly undefeatable method of protection.

But we also have to be realistic about security and understand that there is no one method that is completely unbreakable at this point. For all the good folks working on security systems, there are teams of very smart, well funded bad folks working to break through new defenses.